php4, php5, php52, php5-devel: add suhosin variant which adds the suhosin patch

[Markus.Ueberall@…]

The attached patch for the 'php5' Portfile introduces a new variant which will retrieve and apply the suhosin _patch_ ("[which] implements a few low-level protections against buffer overflows or format string vulnerabilities"), cf. ​http://www.hardened-php.net/suhosin/

(Please note that the current solution currently uses a workaround due to the format of the original patch which would require a '-p1' argument, while all other patches use (the default) '-p0'; maybe we should modify all patches kept in the macports repository and globally use '-p1'?)

[Markus.Ueberall@…]

Portfile diff (against revision #55557)

[Markus.Ueberall@…]

alternate, much cleaner Portfile/patches diff which realises the suggestion to always use "patch.pre_args -p1"

[ryandesign@…]

Replying to Markus.Ueberall@…:

The attached patch for the 'php5' Portfile introduces a new variant which will retrieve and apply the suhosin _patch_ ("[which] implements a few low-level protections against buffer overflows or format string vulnerabilities"), cf. ​http://www.hardened-php.net/suhosin/

These sound like valuable changes. Can anyone explain why they are (for some time now, as I understand it) distributed separately from PHP by separate people, and not part of the PHP core source code?

[Markus.Ueberall@…]

Replying to ryandesign@…:

Can anyone explain why they are (for some time now, as I understand it) distributed separately from PHP by separate people, and not part of the PHP core source code?

The only reason I found (which is cited, e.g., in a recent short article in the german magazine "c't" that deals with PHP security) is that--according to the Stefan Esser (the author of Suhoshin)--the combination of patch and extension can slow down PHP scripts by as much as 10 percent in extreme cases (the patch being the 'computationally more expensive' part). However, I didn't see a single thread discussing the patch's adaption upstream, which I find a bit surprising (then, maybe I looked at the wrong places)...

That said, quite a number of Linux distributions (including Ubuntu, Debian, OpenSuse, Mandriva) nowadays include the patch by default.

[snc@…]

Is this the other half of the suhosin port?

php5-suhosin @0.9.29 (php, security, www)
    Advanced protection extension for PHP

[Markus.Ueberall@…]

Replying to snc@…:

Is this the other half of the suhosin port?

Well... the extension (php5-suhosin) and the patch (variant suhosin) can be used independently; while both can be considered "halves", this doesn't mean that you absolutely have to activate the variant once you install the port and vice versa (unless your intention really is to get all the benefits suhosin has to offer).

[ryandesign@…]

Attached​ is my rewritten version of the patch which I would apply to the php5 port, except that it doesn't finish building when I use the suhosin variant. It gets as far as building the cli sapi and then crashes when trying to generate phar.php.

Generating phar.php
make: *** [ext/phar/phar.php] Error 138

It appears the cli sapi just crashes on launch no matter what you do.

2009-08-26 05:43:45 -0500

EXC_BAD_ACCESS (0x0001)
KERN_PROTECTION_FAILURE (0x0002) at 0x0051a7e0

Thread 0 Crashed:
0    zend_llist_init + 489
1    sapi_activate + 57
2    php_module_startup + 52
3    php_cli_startup + 33
4    main + 639
5    _start + 216
6    start + 41

This is on Mac OS X 10.4.11 Intel patching php5 @5.3.0_2. Does it work for anyone else?

[snc@…]

Built for me on Leopard: php5 @5.3.0_2+suhosin+no_web. I'll try again without +no_web.

[snc@…]

… and it builds without +no_web.

[ryandesign@…]

Thanks. I can confirm it works on Leopard (on Intel and PowerPC) but not on Tiger (on Intel or PowerPC). I added the variant to php5 in r56403 and php5-devel in r56406. I will report the Tiger problem to the developers.

[ryandesign@…]

I added the suhosin variant to php52 in r56575 and to php4 in r58839.