any help from all the mythtv users out there :-) ---------- Forwarded message ---------- From: Greg Rundlett (freephile) <[email protected]> Date: Sat, Jan 9, 2010 at 6:14 PM Subject: Mythweb (php 5.2.10) doesn't work b/c of suhosin - canaries To: Boston PHP Talk <[email protected]>, NYPHP Talk <[email protected]>
Anyone else have a problem with mythweb, suhosin or php5.2.10? I've recently upgraded my mythbuntu setup to 9.10 (karmic koala) and mythweb doesn't work b/c of a suhosin error. I get a big white screen. The error found in apache's log is ALERT - canary mismatch on efree() - heap overflow detected (attacker '::1', file '/usr/share/mythtv/mythweb/includes/errors.php', line 211 (generated by suhosin [1][2] ) line 211 is an innocuous $constant_list = get_defined_constants(true); Supposedly this is fixed upstream, or in newer versions of either apache or php5 [3] , but I don't see a lot of information about it. There was a somewhat related bug [4][5] with a workaround where you could turn off session encryption in the suhosin.ini but that doesn't work in my case (there's not even a suhosin.ini config file b/c suhosin is built in to php-common -- and if you create the config + setting and/or install the compiled add-on (php5-suhosin), the problem still manifests). Some other bugs involve segfaults in debian for php5.2.10 [6]. Still other problems have been reported that might be due to a conflict between suhosin and xdebug, but I've made sure that neither package is installed [7]. You can't uninstall suhosin because it's compiled into the php5-common package. I guess I could either build from source [8], or try to upgrade Lucid has PHP 5.2.11 [9] so I guess I can use pinning [10] to upgrade to that version, but I haven't done that yet. I did try installing xdebug, valgrind and kcachegrind to look for more details, but it doesn't reveal anything. == Details of my system == uname -a Linux hybrid 2.6.31-16-generic #53-Ubuntu SMP Tue Dec 8 04:01:29 UTC 2009 i686 GNU/Linux g...@hybrid:/var/www$ apache2 -v Server version: Apache/2.2.12 (Ubuntu) Server built: Nov 12 2009 22:49:46 g...@hybrid:/var/www$ sudo apt-cache policy apache2 apache2: Installed: (none) Candidate: 2.2.12-1ubuntu2.1 Version table: 2.2.12-1ubuntu2.1 0 500 http://us.archive.ubuntu.com karmic-updates/main Packages 500 http://security.ubuntu.com karmic-security/main Packages 2.2.12-1ubuntu2 0 500 http://us.archive.ubuntu.com karmic/main Packages g...@hybrid:/var/www$ apache2ctl -M apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) mime_module (shared) negotiation_module (shared) php5_module (shared) rewrite_module (shared) setenvif_module (shared) status_module (shared) Syntax OK g...@hybrid:/var/www$ sudo apt-cache policy php5 php5: Installed: 5.2.10.dfsg.1-2ubuntu6.3 Candidate: 5.2.10.dfsg.1-2ubuntu6.3 Version table: *** 5.2.10.dfsg.1-2ubuntu6.3 0 500 http://us.archive.ubuntu.com karmic-updates/main Packages 500 http://security.ubuntu.com karmic-security/main Packages 100 /var/lib/dpkg/status 5.2.10.dfsg.1-2ubuntu6 0 500 http://us.archive.ubuntu.com karmic/main Packages g...@hybrid:/var/www$ php -v PHP 5.2.10-2ubuntu6.3 with Suhosin-Patch 0.9.7 (cli) (built: Nov 26 2009 14:42:49) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies php -m [PHP Modules] bcmath bz2 calendar ctype curl date dba dom exif filter ftp gd gettext hash iconv imap json libxml mbstring mcrypt mime_magic mysql mysqli ncurses openssl pcntl pcre PDO pdo_mysql pdo_pgsql pdo_sqlite pgsql posix readline Reflection session shmop SimpleXML soap sockets SPL SQLite standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter zip zlib [Zend Modules] [1] http://ubuntuforums.org/showthread.php?t=1208437 [2] Stefan Esser's blog http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/ [3] http://www.mail-archive.com/[email protected]/msg197763.html [4] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/424789 [5] http://www.uluga.ubuntuforums.org/showthread.php?p=7896618 [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542514 [7] sudo apt-get remove php5-suhosin sudo apt-get remove php5-xdebug [8] http://chrisblunt.com/blog/2009/05/01/php-fixing-mismatched-canaries-how-to-remove-suhosin-from-debianubuntu-packages/ [9] http://packages.ubuntu.com/lucid/php5-common [10] http://superuser.com/questions/75052/how-do-i-get-apt-pinning-to-install-the-minimum-required-from-the-unstable-distri Greg Rundlett nbpt 978-225-8302 m. 978-764-4424 -skype/aim/irc/twitter freephile http://profiles.aim.com/freephile _______________________________________________ gnhlug-discuss mailing list [email protected] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
