Hi,
finally it turned out, that suhosin is not at fault here. But the odbc
module is broken (almost beyond repair).
I have attached patch to apply in php5 source which fixes the canary
mismatch, but odbc module doesn't play well with mysql and mysqli
modules, so you'll have to disable them to avo
** Attachment added: "Try this patches version of php5-odbc"
http://launchpadlibrarian.net/30857837/php5-odbc_5.2.6.dfsg.1-3ubuntu4.2_amd64.deb
** Summary changed:
- Unable to remove Suhosin patch
+ [jaunty] php5-odbc module broken
--
[jaunty] php5-odbc module broken
https://bugs.launchpad
** Attachment added: "Patch to update ext/odbc to 5.2.10"
http://launchpadlibrarian.net/30849919/ext-odbc-5.2.6-5.2.10.patch
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification because you are a member of Ubuntu
Server Team, which is sub
Jonathan,
I am able to reproduce the bug.
odbc extension is obviously broken as hell :(
If you do only odbc_connect in the script it freezes. I'll look into
possibility of backporting odbc/pdo_odbc from 5.2.10 upstream.
Ondrej
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/
Hi,
just a note. New suhosin patch for 5.3 will be more customizable:
The following environment variables are supported by now:
SUHOSIN_MM_USE_CANARY_PROTECTION
default: 1
Set to 0 to disable canary protection. A copy of the MM will be used that does
not have canaries. This is nearly the same a
Hi,
I am suffering the same odbc issue as mentioned in #16 (also on amd64), but can
live with it, as this is my private machine.
My real problem (as mentioned in #18) is that while I have set
"suhosin.simulation = on", suhosin not only logs the issue but also
seems to abort it, so the browser off
http://chrisblunt.com/blog/2009/05/01/php-fixing-mismatched-canaries-
how-to-remove-suhosin-from-debianubuntu-packages/
here the guy talks about mssql_query causing the canary mismatch.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification be
Jan, you're absolutely right. Right now we know only about php5-odbc
extension (and it can even be buried somewhere in odbc libraries), but
there seems to be more (according to blogpost in first report there is
something which is triggered by Joomla).
Ondrej
--
Unable to remove Suhosin patch
htt
Ondřej, to clearly pointing out ... you are talking about the php5
package and/or any php5 extention, which causes the Canaries. Suhosin
makes the problem just visible. Please correct me, if I'm wrong.
With kind regards, Jan.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/3155
Ok, I've tried to reproduce the problem on Ubuntu 8.04.3 i386 and it
does NOT show up, so it seems to be related to the amd64 architecture as
Ondrej suggested.
let me know if I have to do some more tests.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this
Ondrej, sure as soon as I'm done with this vm I'm building I'll try with
i386.
It's not that I don't care, but as we're migrating tons of stuff around
and this migration has to be finished soon, I really need the odbc thing
working asap, so that's why I don't mind the buffer overflow for now, if
I
Diego, could you try it to reproduce under i386 in vm?
Maybe it has something to do with alignment on 64-bit.
Ondrej
P.S.: You should care if odbc (or php) is badly coded, because buffer
overflows can trigger remote attacks on your server leading do DoS or
even intrusion into your system.
--
U
I've reproduced the problem on a 9.04 amd64 fully updated, same
configuration as above.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
--
Ubuntu-se
To be honest it wouldn't be a problem for me if the simulation mode
actually worked. I don't really mind if the odbc functions are badly
coded (or whatever). What I do mind is suhosin breaking my scripts
without a way to prevent it which doesn't include recompiling php
without the patch.
But of co
Just for the record: It's not suhosin patch which needs to be removed,
it's the php or php extension which needs fixing, since corrupted canary
means that there is stack/buffer overflow somewhere. See:
http://en.wikipedia.org/wiki/Stackguard#Canaries
--
Unable to remove Suhosin patch
https://bugs
Ok I was able to reproduce the problem on a new VM
Steps:
1) Create fresh vm: done, installed Ubuntu 8.04.2 amd64 as denoted by
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 8.04.3 LTS (it shows .3 because I issued the command
after the update I th
Darn there should be an edit function for comments here...
I forgot to mention an essential thing, the ubuntu release is the AMD64 one.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification because you are a member of Ubuntu
Server Team, which
erhm, of course in my test script in the odbc_exec function I've
specified the connection parameter, I just missed it here in the
comment.
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification because you are a member of Ubuntu
Server Team, wh
Jonathan, thanks for taking the time to post an exhaustive reply.
I'm creating a new VM right now to do a complete test as you suggested,
but as that's not going to reproduce our real world situation, I'm going
to post the details of the actual machine where the thing is happening.
Later on I'll
As a further test, I have also installed php5-suhosin,
rebooted the virtual machine, and then retested it
with 100,000 repetitions using ab.
It all still works fine. /var/log/apache2/error.log contains
no errors relating to "canary mismatch", and even doing
sudo grep -ri "canary mismatch" /v
An attempted set of steps to reproduce this issue follows. I failed to
reproduce it!
Those who can reproduce it, please document, in a way similar to this,
exactly how you (and so others!) can also reproduce this issue.
Just in case the web display on LP messes up my PHP script, I am attaching
To those who are experiencing this issue, and would like it fixed:
PLEASE provide more specific detail on exactly how to reproduce this
issue.
So far, we do not even seem to have information on which release of
Ubuntu is involved, much less which versions of apache2 and php5 and
Joomla. Clear an
The error I get is the same StephenA reported:
"ALERT - canary mismatch on efree() - heap overflow detected (attacker
'', file '')"
and I get it by calling odbc_execute() or odbc_exec() with any query.
The script I used to reproduce the problem is a simple test script with
just the db connection
Hi,
sorry ... from my side (Debian Maintainer), I cant reproduce the
problem. You neither provided logs (suhosin logs to syslog) nor any
example php scripts to verify your problem.
Until I don't have any reproducible facts, I can't anything for you.
Anyways .. maybe the guys from Ubuntu can fix a
I have the same problem as the other guys.
And doing:
> # echo "suhosin.simulation = on" >> /etc/php5/conf.d/suhosin.ini
>
> Restarting the webserver and you will be fine.
does not solve the problem. phpinfo() shows the flag as on, but the php
scripts which cause the error still stop being exec
> The problem is that adding anything suhosin related to the php.ini
file does not seem to work.
Which php.ini file do you use and do you use libapache2-mod-php5 or cgi?
What about the following:
# echo "suhosin.simulation = on" >> /etc/php5/conf.d/suhosin.ini
Restarting the webserver and you wi
The problem is that adding anything suhosin related to the php.ini file
does not seem to work.
Joomla and WPMU and other PHP applications regularly seem to cause FATAL
errors in the php version with Suhosin. For example:
[Thu Jul 09 12:13:23 2009] [error] [client 192.168.0.55] ALERT - canary
mis
Speaking as Debian Maintainer of the source package php-suhosin, I think you
didn't understand, what the package "php5-suhosin" stands for.
If you did have a look into the Upstream homepage[1], you can read the
following in the beginning of the page:
"Suhosin comes in two independent parts, that
I 100% agree with the opinion of John Wards.
There has to be an easy and effective way to remove Suhosin from PHP with
having to recompile.
There should be two methods available:
1. I should be able to remove the php5-suhosin package.
2. I should be able to comment out the second line (;extension=
** Changed in: php-suhosin (Ubuntu)
Sourcepackagename: php5 => php-suhosin
--
Unable to remove Suhosin patch
https://bugs.launchpad.net/bugs/315507
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
--
Ubuntu-server-bugs mai
In the package management you have a package called php5-suhosin, it
makes sense to use that rather than compiled in patches. That way I can
remove it.
What is the reasoning behind not using the package?
Also if the "official" way of disabling Suhosin is to use conf files
should a /etc/php5/conf.
I do not understand what you mean. What part of the process doesn't work
for you, and what concrete change do you suggest to the packaging?
Why is it not enough to use Suhosin's configuration variables to disable
certain or alll functionality? See
http://www.hardened-php.net/suhosin/configuration
32 matches
Mail list logo
