Posted by & filed under PHP.

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin

17 Responses to “Advisory : buffer overflow in php5-suhosin”

  1. Matic

    apt-get has now asked whether I want suhosin.ini to be rewritten. Thank you for the change and the suhosin update Guillaume, you’re the best.

    Reply
  2. M

    Hi Guillaume,
    I’ve never installed php5-suhosin as a standalone package, I always installed/upgraded your dotdeb package. Should I update php5-suhosin as well ? BTW my phpinfo() says “This server is protected with the Suhosin Patch 0.9.10″.

    Tnx

    Reply
  3. Guillaume Plessis

    @M : there’s no need for you to install php5-suhosin (the *extension*) if you don’t use its functions.
    On the other side, the suhosin *patch* that is bundled with Dotdeb’s PHP packages, is not vulnerable to any buffer overflow. No need to upgrade anything.

    Reply
  4. M

    Hi G.
    tnx for the info. I’ve a little problem: I run ‘apt-get install –reinstall php5-suhosin’ before asking you and now I run ‘apt-get remove php5-suhosin’ and now I have ‘PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20090626+lfs/suhosin.so’ – /usr/lib/php5/20090626+lfs/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
    ‘ . Can you help me ?

    Reply
  5. Guillaume Plessis

    @M : you should have summoned “apt-get remove –purge php5-suhosin” to remove Suhosin’s loading/configuration file.

    Then, remove it manually : /etc/php5/conf.d/suhosin.ini
    Be also sure to remove its symlinks in /etc/php5/*/conf.d/suhosin.ini

    Reply
  6. m

    @G.

    ok removed /etc/php5/conf.d/suhosin.ini
    but how to remove its symlinks in /etc/php5/*/conf.d/suhosin.ini ?

    Reply
  7. M

    #G:

    I get ‘rm: cannot remove `/etc/php5/*/conf.d/suhosin.ini’: No such file or directory
    ‘ . I think I’m safe now :)

    Reply
  8. Marcel

    Hi,

    please please do not recycle previously used version numbers!

    Increment the version, e.g. in this case the old version from Fri, 13 Jan 2012 was

    5.3.9-1~dotdeb.3

    and the new release *should have* had version

    5.3.9-1~dotdeb.4

    You ask why?

    Because some people use Package mirros like approx.

    In our case approx had the old php5-suhosin_5.3.9-1~dotdeb.3_i386.deb cached so it delivered the cached php5-suhosin_5.3.9-1~dotdeb.3_i386.deb to all clients asking for the new one and apt-get upgrade failed with

    Size mismatch

    So please reuse version numbers in the future!

    Thanks! :)

    Reply
  9. Guillaume Plessis

    @Marcel : sorry, I got your point, but reusing the version numbers was a the quickest way to fix the buffer overflow this time.
    Packaging only php5-suhosin for lenny/squeeze amd64/i386 takes me about 5 minutes, while rebuilding all the php5-* packages last at least 4 hours.

    I’ll do my best to avoid this in the future.

    Reply
  10. Marcel

    Hi Guillaume,

    i’m not sure i understand why changeing the version number in one package means to rebuild all packages.

    You recompiled the suhosin.so file which included the security fix, made a .deb package out of it and refreshed the repository metadata (Packages.gz) to reflect the right checksum and size.

    So where is here the need to rebuild the whole php5-* packages if you just additionally changed the minor version number to dotdeb.4?

    I can’t follow your argument here :)

    BTW: Thanks for the service you provide! Even though i do criticise the version numbering in this case this doesn’t mean i do not value your work with all the nice packages you provide!

    Marcel.

    Reply

Leave a Reply

  • (will not be published)


eight − = 7