[MacPorts] #20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: macports-tickets@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: ---------------------------------------+------------------------------------ The attached patch for the 'php5' Portfile introduces a new variant which will retrieve and apply the suhosin _patch_ ("[which] implements a few low-level protections against buffer overflows or format string vulnerabilities"), cf. http://www.hardened-php.net/suhosin/ (Please note that the current solution currently uses a workaround due to the format of the original patch which would require a '-p1' argument, while all other patches use (the default) '-p0'; maybe we should modify all patches kept in the macports repository and globally use '-p1'?) -- Ticket URL: <http://trac.macports.org/ticket/20681> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Changes (by macsforever2000@…): * cc: ryandesign@… (removed) * owner: macports-tickets@… => ryandesign@… * port: => php5 -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:1> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Changes (by ryandesign@…): * owner: ryandesign@… => ryandesign@… * status: new => assigned Comment: Replying to [ticket:20681 Markus.Ueberall@…]:
The attached patch for the 'php5' Portfile introduces a new variant which will retrieve and apply the suhosin _patch_ ("[which] implements a few low-level protections against buffer overflows or format string vulnerabilities"), cf. http://www.hardened-php.net/suhosin/
These sound like valuable changes. Can anyone explain why they are (for some time now, as I understand it) distributed separately from PHP by separate people, and not part of the PHP core source code? -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Comment(by Markus.Ueberall@…): Replying to [comment:2 ryandesign@…]:
Can anyone explain why they are (for some time now, as I understand it) distributed separately from PHP by separate people, and not part of the PHP core source code?
The only reason I found (which is cited, e.g., in a recent short article in the german magazine "c't" that deals with PHP security) is that-- according to the Stefan Esser (the author of Suhoshin)--the combination of patch and extension can slow down PHP scripts by as much as 10 percent in extreme cases (the patch being the 'computationally more expensive' part). However, I didn't see a single thread discussing the patch's adaption upstream, which I find a bit surprising (then, maybe I looked at the wrong places)... That said, quite a number of Linux distributions (including Ubuntu, Debian, OpenSuse, Mandriva) nowadays include the patch by default. -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:3> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Changes (by snc@…): * cc: snc@… (added) Comment: Is this the other half of the suhosin port? {{{ php5-suhosin @0.9.29 (php, security, www) Advanced protection extension for PHP }}} -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Comment(by Markus.Ueberall@…): Replying to [comment:4 snc@…]:
Is this the other half of the suhosin port?
Well... the extension (php5-suhosin) and the patch (variant suhosin) can be used independently; while both can be considered "halves", this doesn't mean that you absolutely have to activate the variant once you install the port and vice versa (unless your intention really is to get all the benefits suhosin has to offer). -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:5> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Comment(by ryandesign@…): [attachment:php5-suhosin-ryandesign.diff Attached] is my rewritten version of the patch which I would apply to the php5 port, except that it doesn't finish building when I use the suhosin variant. It gets as far as building the cli sapi and then crashes when trying to generate phar.php. {{{ Generating phar.php make: *** [ext/phar/phar.php] Error 138 }}} It appears the cli sapi just crashes on launch no matter what you do. {{{ 2009-08-26 05:43:45 -0500 EXC_BAD_ACCESS (0x0001) KERN_PROTECTION_FAILURE (0x0002) at 0x0051a7e0 Thread 0 Crashed: 0 zend_llist_init + 489 1 sapi_activate + 57 2 php_module_startup + 52 3 php_cli_startup + 33 4 main + 639 5 _start + 216 6 start + 41 }}} This is on Mac OS X 10.4.11 Intel patching php5 @5.3.0_2. Does it work for anyone else? -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:6> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Comment(by snc@…): Built for me on Leopard: php5 @5.3.0_2+suhosin+no_web. I'll try again without +no_web. -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:7> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ---------------------------------------+------------------------------------ Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: php5 ---------------------------------------+------------------------------------ Comment(by snc@…): … and it builds without +no_web. -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:8> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php-5.3.0 introduce variant 'suhosin' which adds the suhosin _patch_ ----------------------------------------+----------------------------------- Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: closed Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: fixed | Keywords: Port: php5 | ----------------------------------------+----------------------------------- Changes (by ryandesign@…): * status: assigned => closed * resolution: => fixed Comment: Thanks. I can confirm it works on Leopard (on Intel and PowerPC) but not on Tiger (on Intel or PowerPC). I added the variant to php5 in r56403 and php5-devel in r56406. I will report the Tiger problem to the developers. -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:9> MacPorts <http://www.macports.org/> Ports system for Mac OS
#20681: php4, php5, php52, php5-devel: add suhosin variant which adds the suhosin patch --------------------------------------------+------------------------------- Reporter: Markus.Ueberall@… | Owner: ryandesign@… Type: enhancement | Status: closed Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: fixed | Keywords: Port: php4, php52, php5, php5-devel | --------------------------------------------+------------------------------- Changes (by ryandesign@…): * port: php5 => php4, php52, php5, php5-devel Comment: I added the suhosin variant to php52 in r56575 and to php4 in r58839. -- Ticket URL: <http://trac.macports.org/ticket/20681#comment:10> MacPorts <http://www.macports.org/> Ports system for Mac OS
participants (1)
-
MacPorts