Spat over PHP Suhosin patch

Suhosin logo. Suhosin, a security extension for PHP, can cause some systems to crash. A patch from the Debian maintainers resolves this problem, but in doing so gives rise to a potential security vulnerability. A spat has now developed over just who screwed up and where.

One part of the Suhosin package is a patch for the PHP environment. In the Suhosin patch for PHP 5.3, Suhosin's configuration data, which determines whether or not certain security features are active, is stored in RAM. To ensure that exploits cannot simply disable these security features, the memory area in question is write-protected after launching. Specifically, the memory area is aligned to a page boundary and the whole page then set to read-only using mprotect().

Unfortunately this is not portable and causes major problems on systems which do not use a page size of 4096 – such as IA64 platforms, where it results in crashes as a result of factors such as PHP attempting to overwrite a protected memory area. The Debian package maintainers took it upon themselves to tackle the problem and prepared a patch which resolved the crashes. They emailed Stefan Esser, the developer behind Suhosin, about the fix on the 10th of February. However, Esser, as he admits in a subsequent blog posting did not check his Hardened PHP project email address for two months. In the absence of a response, the Debian maintainers eventually decided to release their patch and the crashes ceased.

Some time later when Esser did catch up on checking his Hardened PHP email, he stumbled upon the now-released patch from Debian. On close examination, he discovered that although it does indeed fix the crashes, in doing so the patch disables the memory protection features. The Debian patch adds a pointer to the write-protected Suhosin configuration data. This allows a streetwise attacker, rather than attacking the configuration data directly, to generate a new set of configuration data configured to taste and to then switch the pointer to point to it.

So far, so 'shit happens', but instead of ensuring that the dodgy patch was replaced with something better as quickly as possible, Esser started out by posting a blog entry stating his personal view of the matter. This included comparing the Debian maintainers' behaviour over the patch to Debian's OpenSSL debacle. In the wake of Esser's blog entry, a heated discussion – characterised largely by allegations and wounded vanity – ensued. Esser has now deleted some parts of the incriminating blog entry, revised others and locked the comments. He has also withdrawn his initial proposal for an improved patch. The upshot is that there is, as far as we are aware, at present still no patch available which resolves the crashes without introducing security problems of its own.

(crve)