FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-02-2012, 12:31 PM
Stefan Esser
 
Default Suhosin patch disabled by default in Debian php5 builds

Hello Ondřej,

> My personal feeling is that most people see suhosin as "this is about
> security, thus it must be good". This combined with bad PHP security
> history makes everybody feel insecure when suhosin was removed, but
> the real question is if the suhosin is still really helping with PHP
> security or it is just a burden in the general installations now.

considering the fact that you write this email the very same day that a remote code execution vulnerability in PHP is found that is easy to exploit from remote and is greatly mitigated by the use of Suhosin you look pretty stupid. (In case of usage of Suhosin-Extension in default config, it is even completely killed).

Just saying.


Regards,
Stefan Esser


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de">http://lists.debian.org/5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de
 
Old 02-02-2012, 12:38 PM
Pierre Joye
 
Default Suhosin patch disabled by default in Debian php5 builds

Hi Stefan,

On Thu, Feb 2, 2012 at 2:31 PM, Stefan Esser <stefan@nopiracy.de> wrote:
> Hello Ondřej,
>
>> My personal feeling is that most people see suhosin as "this is about
>> security, thus it must be good". This combined with bad PHP security
>> history makes everybody feel insecure when suhosin was removed, but
>> the real question is if the suhosin is still really helping with PHP
>> security or it is just a burden in the general installations now.
>
> considering the fact that you write this email the very same day that a remote code execution vulnerability in PHP is found that is easy to exploit from remote and is greatly mitigated by the use of Suhosin you look pretty stupid. (In case of usage of Suhosin-Extension in default config, it is even completely killed).

Another very important part of Ondrej's email was:

"Please keep the discussion civil and on the technical level"

And at this point, I may suggest you to keep such posts for yourself.

About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and
will have bugs. This is not really hot news. That does not affect this
discussion.

I, for one, like the idea to finally see distros droping Suhosin and
focus on making PHP itself better and safer instead of distracting us
and our users with custom patches or extensions.

Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8oc w@mail.gmail.com">http://lists.debian.org/CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8oc w@mail.gmail.com
 
Old 02-02-2012, 12:43 PM
Carlos Alberto Lopez Perez
 
Default Suhosin patch disabled by default in Debian php5 builds

On 02/02/12 14:31, Stefan Esser wrote:
> considering the fact that you write this email the very same day that a remote code execution vulnerability in PHP is found that is easy to exploit from remote and is greatly mitigated by the use of Suhosin you look pretty stupid. (In case of usage of Suhosin-Extension in default config, it is even completely killed).
>
> Just saying.
>

I think that you words are out of tone, there is not need to be unpolite


And where is such exploit??? I don't see any CVE

http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74



--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
Carlos Alberto Lopez Perez http://neutrino.es
Igalia - Free Software Engineering http://www.igalia.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
 
Old 02-02-2012, 01:14 PM
Stefan Esser
 
Default Suhosin patch disabled by default in Debian php5 builds

Hello Pierre,

> About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and
> will have bugs. This is not really hot news. That does not affect this
> discussion.

I know that for many years you have not understood the idea behind Suhosin, the concept of exploit mitigations.

The only reason why Suhosin exists is because there will ALWAYS be bugs. And because that is a fact you must have safe guards in case something goes wrong.
Suhosin/HPHP provides this safe guard for 8 years to the PHP community.

Ideas like: I haven't seen much bugs lately so lets drop all the safe guards is like not paying for your life insurance anymore, because you haven't died too often recently.

BTW: You should really really look into the history of PHP security and check for each of the last 8 years how many features were in Suhosin and later merged into PHP because of some nasty security problem.
You will see that at least 2 features of Suhosin per year were merged into PHP.

And there are many many good reasons, why Suhosin must be external to PHP.
The most obvious one is that the code is clearly separated, so that not someone of the hundred PHP commiters accidently breaks a safe guard.

Regards,
Stefan Esser

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de">http://lists.debian.org/46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de
 
Old 02-02-2012, 01:38 PM
Nico Golde
 
Default Suhosin patch disabled by default in Debian php5 builds

* Carlos Alberto Lopez Perez <clopez@igalia.com> [2012-02-02 14:46]:
> On 02/02/12 14:31, Stefan Esser wrote:
> > considering the fact that you write this email the very same day that a
> > remote code execution vulnerability in PHP is found that is easy to
> > exploit from remote and is greatly mitigated by the use of Suhosin you
> > look pretty stupid. (In case of usage of Suhosin-Extension in default
> > config, it is even completely killed).
> >
> > Just saying.
>
> I think that you words are out of tone, there is not need to be unpolite
>
>
> And where is such exploit??? I don't see any CVE
>
> http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74

The fact that there is no CVE id or that you don't know about it, has nothing
to do with something not existing:
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/

Cheers
Nico
 
Old 02-02-2012, 01:41 PM
Andrea Bolognani
 
Default Suhosin patch disabled by default in Debian php5 builds

On Thu, Feb 02, 2012 at 03:14:56PM +0100, Stefan Esser wrote:

> BTW: You should really really look into the history of PHP security and check for each of the last 8 years how many features were in Suhosin and later merged into PHP because of some nasty security problem.
> You will see that at least 2 features of Suhosin per year were merged into PHP.

If that’s the case, then you have nothing to worry about.

As more and more Suoshin features are merged into mainline PHP, Debian’s
PHP package will get more and more secure. That’s the way it happens for
many other packages, I fail to see why PHP should be treated differently.

--
Andrea Bolognani <eof@kiyuko.org>
Resistance is futile, you will be garbage collected.
 
Old 02-02-2012, 01:49 PM
Holger Levsen
 
Default Suhosin patch disabled by default in Debian php5 builds

On Donnerstag, 2. Februar 2012, Nico Golde wrote:
> http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fi
> x-for-php-hashtable-collision-dos/

Oh my...

sigh.



thanks Stefan, thanks Nico.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201202021549.45633.holger@layer-acht.org">http://lists.debian.org/201202021549.45633.holger@layer-acht.org
 
Old 02-02-2012, 01:59 PM
Stefan Esser
 
Default Suhosin patch disabled by default in Debian php5 builds

Ohh btw…

> I have walked the bug list for 5.3 mentioning suhosin[2] to actually
> at least partially support what I have just said. I have found few
> bugs where suhosin was causing a problems ([3],[4]) and a handful of
> bugs with "have suhosin, cannot help". I know this isn't (and can't
> be) a definitive list, but it just show that
>
> P.S.: Also see stas reply[5] about valgrind.
>
> Links:
> 1. http://www.hardened-php.net/hphp/faq.html#why_is_hardening-patch_not_part_of_php
> 2. https://bugs.php.net/search.php?search_for=suhosin&boolean=0&limit=90&o rder_by=&direction=DESC&cmd=display&status=All&bug _type=All&project=PHP&php_os=&phpver=5.3&cve_id=&a ssign=&author_email=&bug_age=0&bug_updated=0
> 3. https://bugs.php.net/bug.php?id=60216
> 4. https://bugs.php.net/bug.php?id=60935
> 5. http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/

1) You understand that Hardening-Patch is not Suhosin-Patch, do you?

2) Maybe you should also search for: Have Debian, then use a clean PHP not a broken Debian build

Bug 3 -> is not a bug in Suhosin, it is the fact that the suhosin.executor.max_depth function was not set correctly. Reading the documentation helps: http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.max_depth

Bug 4 -> the guy is actually writing inside the bug report that the problem occurs with and without Suhosin

5) You can just start PHP with the environment variable SUHOSIN_MM_USE_CANARY_PROTECTION=0 and can use valgrind.


So basically all points you bring up are no issues.

Regards,
Stefan Esser



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 029D6007-0100-4D92-99AE-7D7B1B3653DE@nopiracy.de">http://lists.debian.org/029D6007-0100-4D92-99AE-7D7B1B3653DE@nopiracy.de
 
Old 02-02-2012, 02:49 PM
Pierre Joye
 
Default Suhosin patch disabled by default in Debian php5 builds

hi Stefan,

On Thu, Feb 2, 2012 at 3:14 PM, Stefan Esser <stefan@nopiracy.de> wrote:
> Hello Pierre,
>
>> About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and
>> will have bugs. This is not really hot news. That does not affect this
>> discussion.
>
> I know that for many years you have not understood the idea behind Suhosin, the concept of exploit mitigations.

Let me disagree with your way of doing things without telling me that
I do not understand what you do. It is two different concepts. I also
perfectly understand the goals of Suhosin, the technical as well as
the non technical ones. The anonymity of a project is not always
helpful.

> The only reason why Suhosin exists is because there will ALWAYS be bugs.

Indeed, so it is for Suhosin as well.

> BTW: You should really really look into the history of PHP security and check for each of the last 8 years how many features were in Suhosin and later merged into PHP because of some nasty security problem.
> You will see that at least 2 features of Suhosin per year were merged into PHP.

For one, some were not not ported but features were implemented, with
the support of their original authors. They are not related to
Suhosin, like the Blowfish support, which I ported to php with the
help of Solar Designer. Suhosin uses the same implementation.

> And there are many many good reasons, why Suhosin must be external to PHP.
> The most obvious one is that the code is clearly separated, so that not someone of the hundred PHP commiters accidently breaks a safe guard.

I would be the happiest man on Earth if PHP would have hundred active
PHP contributors. As a matter of fact, we have like 3-4 active weekly,
less than 10 yearly and maybe around 15 for the 'let commit something'
area.

While we discuss about the reasons why I do not think Suhosin is not
the right way, let start from the beginning.

I understand why you left the security team and the php project years
ago. Back then I was not on the security team, so I won't comment this
period (and I would have partially agreed with you). However, I am
part of this team since some years now and I (along with other) have
been pushing drastic changes in the way we work, for releases or
security issues in particular. You are ignoring these changes and
progresses.

For example the Release RFC (https://wiki.php.net/rfc/releaseprocess):

. does not allow new features after x.y.0 final

. enforce quick release when a flaw is discovered
much easier to do as no noise commits will be present

. many other good things

Only the two first points will drastically increase the quality and
safety of our releases. The reason is that the amount of unnecessary
commits will be null, or almost null. That kills the argument about
'hundred of commit(ers) breaking PHP'. It also helps to get fixes out
sooner rather than later.

Many features are making their way to PHP as well, on a case by case
basis. We have changed and we are on the right track since quite some
time already. If you have features that you consider that it must be
in the core, then let discuss it, on this list. But so far I failed to
see other features in Suhosin that we need to implement without having
more cons than pros.

I am also convinced that these new policies will also allow
distributions to update to the latest release of a given branches
instead of having to backport fixes to their tree. And that alone is a
huge step forward.

Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com">http://lists.debian.org/CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com
 
Old 02-02-2012, 03:06 PM
jpauli
 
Default Suhosin patch disabled by default in Debian php5 builds

On Thu, Feb 2, 2012 at 4:49 PM, Pierre Joye <pierre.php@gmail.com> wrote:


hi Stefan,



On Thu, Feb 2, 2012 at 3:14 PM, Stefan Esser <stefan@nopiracy.de> wrote:

> Hello Pierre,

>

>> About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and

>> will have bugs. This is not really hot news. That does not affect this

>> discussion.

>

> I know that for many years you have not understood the idea behind Suhosin, the concept of exploit mitigations.



Let me disagree with your way of doing things without telling me that

I do not understand what you do. It is two different concepts. I also

perfectly understand the goals of Suhosin, the technical as well as

the non technical ones. The anonymity of a project is not always

helpful.



> The only reason why Suhosin exists is because there will ALWAYS be bugs.



Indeed, so it is for Suhosin as well.



> BTW: You should really really look into the history of PHP security and check for each of the last 8 years how many features were in Suhosin and later merged into PHP because of some nasty security problem.

> You will see that at least 2 features of Suhosin per year were merged into PHP.



For one, some were not not ported but features were implemented, with

the support of their original authors. They are not related to

Suhosin, like the Blowfish support, which I ported to php with the

help of Solar Designer. Suhosin uses the same implementation.



> And there are many many good reasons, why Suhosin must be external to PHP.

> The most obvious one is that the code is clearly separated, so that not someone of the hundred PHP commiters accidently breaks a safe guard.



I would be the happiest man on Earth if PHP would have hundred active

PHP contributors. As a matter of fact, we have like 3-4 active weekly,

less than 10 yearly and maybe around 15 for the 'let commit something'

area.



While we discuss about the reasons why I do not think Suhosin is not

the right way, let start from the beginning.



I understand why you left the security team and the php project years

ago. Back then I was not on the security team, so I won't comment this

period (and I would have partially agreed with you). However, I am

part of this team since some years now and I (along with other) have

been pushing drastic changes in the way we work, for releases or

security issues in particular. You are ignoring these changes and

progresses.



For example the Release RFC (https://wiki.php.net/rfc/releaseprocess):



*. does not allow new features after x.y.0 final



*. enforce quick release when a flaw is discovered

* much easier to do as no noise commits will be present



*. many other good things



Only the two first points will drastically increase the quality and

safety of our releases. The reason is that the amount of unnecessary

commits will be null, or almost null. That kills the argument about

'hundred of commit(ers) breaking PHP'. It also helps to get fixes out

sooner rather than later.



Many features are making their way to PHP as well, on a case by case

basis. We have changed and we are on the right track since quite some

time already. If you have features that you consider that it must be

in the core, then let discuss it, on this list. But so far I failed to

see other features in Suhosin that we need to implement without having

more cons than pros.



I am also convinced that these new policies will also allow

distributions to update to the latest release of a given branches

instead of having to backport fixes to their tree. And that alone is a

huge step forward.



Cheers,

--

Pierre



@pierrejoye | http://blog.thepimp.net | http://www.libgd.org



--

PHP Internals - PHP Runtime Development Mailing List

To unsubscribe, visit: http://www.php.net/unsub.php




In fact, I agree that it'd be a good idea to discuss more widely PHP Security , why not through specific RFCs, with POCs of each ideas/concepts , so that people could comment on them, and approve/decline the concepts/patches


Julien.P
 

Thread Tools




All times are GMT. The time now is 05:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org