| Summary: | dev-php5/suhosin shoud link against libcrypt and doesn't | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Hanno Böck <hanno> |
| Component: | Hardened | Assignee: | PHP Bugs <php-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bug, flameeyes, hardened, kfm, klondike |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
Patch for suhosin
Patch for the ebuild |
||
|
Description
Hanno Böck
2010-08-11 00:10:23 UTC
I'll get myself a hardened lxc here and look into it. Thanks for reporting! @hanno can we get a emerge --info and php version and use flags? zucker ~ # emerge --info Portage 2.1.8.3 (hardened/linux/amd64/10.0/no-multilib, gcc-4.4.3, glibc-2.11.2-r0, 2.6.32.8-grsec x86_64) ================================================================= System uname: Linux-2.6.32.8-grsec-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_6000+-with-gentoo-1.12.13 Timestamp of tree: Tue, 10 Aug 2010 23:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p37 dev-lang/python: 2.6.5-r2, 3.1.2-r3 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.65 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.3-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=athlon64 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=athlon64 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache collision-protect distlocks fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict suidctl unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.UTF-8" LC_ALL="de_DE.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays/keks" SYNC="rsync://rsync7.de.gentoo.org/gentoo-portage" USE="7zip acl amd64 apache2 bash-completion bzip2 calendar cgi cli cracklib crypt ctype curl dri exif fam fastcgi filter force-cgi-redirect ftp gd geoip gif glibc-omitfp gpg gpgme hardened hash httpbind iconv idn imagemagick imap iproute2 ipv6 irc jpeg json justify leim logrotate mailwrapper memcache mhash mmap mmx mod_irc mod_muc mod_pubsub modules mpm-prefork muc mudflap mysql mysqli ncurses nls nptl nptlonly ocamlopt openmp openssl otr pam pcre pdf pdo perl php pic png pop pppd proxy pubsub python qdbm readline reflection ruby sensord session sidebar silvercity simplexml slang smime smtp sni soap spell spl sqlite sqlite3 sse sse2 ssl static-modules suexec suhosin svg sysfs tiff tokenizer tools truetype unicode urandom userlocales web webdav xattr xml xmlrpc xorg xsl xtended zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_file authn_anon authn_default authz_host authz_groupfile authz_user authz_owner authz_default auth_basic auth_digest cache include deflate log_config logio env mime_magic unique_id setenvif mime dav status autoindex info suexec cgi dav dav_fs dav_lock vhost_alias negotiation dir actions alias rewrite so charset_lite filter headers" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS zucker ~ # emerge -pv php These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] dev-lang/php-5.3.3-r1 USE="bzip2 calendar cgi cli crypt ctype curl exif fileinfo filter ftp gd hash iconv imap ipv6 json mysql mysqli nls pdo phar pic posix session simplexml soap spell sqlite sqlite3 ssl suhosin tidy tokenizer truetype unicode xml xmlreader xmlrpc xmlwriter xsl zip zlib (-adabas) -apache2 -bcmath -berkdb (-birdstep) -cdb -cjk -concurrentmodphp -curlwrappers -db2 (-dbmaker) -debug -doc -embed (-empress) (-empress-bcs) -enchant (-esoob) (-firebird) -flatfile -fpm (-frontbase) -gd-external -gdbm -gmp -inifile -interbase -intl -iodbc -kerberos -kolab -ldap -ldap-sasl -libedit -mssql -mysqlnd -oci8 -oci8-instant-client -odbc -pcntl -postgres -qdbm -readline -recode -sapdb -sharedext -sharedmem -snmp -sockets (-solid) (-sybase-ct) -sysvipc -threads -wddx -xpm" 0 kB inherit toolchain-func flag-o-matic if gcc-specs-now ; then append-ldflags -Wl,-z,lazy fi try with that ebuild code but it would be good if upstream support -z now http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml (Issues arising from default NOW) http://blog.flameeyes.eu/2010/08/18/compounded-issues-in-glibc-2-12 The issue is still valid as of september 23rd, with dev-lang/php-5.3.3-r1 and dev-php5/suhosin-0.9.32.1. # php -v PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so' - /usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so: undefined symbol: crypt in Unknown on line 0 Any fix coming soon ??? ebuild R ] dev-lang/php-5.3.3-r1 USE="apache2 berkdb bzip2 cli crypt ctype curl fileinfo filter gd gdbm hash iconv imap json nls phar pic posix postgres readline session simplexml ssl suhosin tokenizer truetype unicode xml xmlreader xmlwriter zlib (-adabas) -bcmath (-birdstep) -calendar -cdb -cgi -cjk -concurrentmodphp -curlwrappers -db2 (-dbmaker) -debug -doc -embed (-empress) (-empress-bcs) -enchant (-esoob) -exif (-firebird) -flatfile -fpm (-frontbase) -ftp -gd-external -gmp -inifile -interbase -intl -iodbc -ipv6 -kerberos -kolab -ldap -ldap-sasl -libedit -mssql -mysql -mysqli -mysqlnd -oci8 -oci8-instant-client -odbc -pcntl -pdo -qdbm -recode -sapdb -sharedext -sharedmem -snmp -soap -sockets (-solid) -spell -sqlite -sqlite3 (-sybase-ct) -sysvipc -threads -tidy -wddx -xmlrpc -xpm -xsl -zip" 0 kB [ebuild R ] dev-php5/suhosin-0.9.32.1 0 kB phpinfo() Core PHP Version 5.3.3-pl1-gentoo suhosin Suhosin Extension 0.9.32.1 mcrypt Version 2.5.8 jasmin ~ # emerge --info Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r1 x86_64) ================================================================= System uname: Linux-2.6.34-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E5420_@_2.50GHz-with-gentoo-2.0.1 Timestamp of tree: Thu, 23 Sep 2010 21:15:03 +0000 ccache version 2.4 [disabled] app-shells/bash: 4.0_p37 dev-lang/python: 2.5.4-r2, 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.2 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.4_p6, 1.9.6-r2, 1.10.2, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4-r2, 4.4.4-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.35 ABI="amd64" ACCEPT_KEYWORDS="amd64" Looks like it works fine for me. Have you reemerge all deps on php and suhosin? Okay I hit this one twice on two different systems. In both cases I rebuilt php *after* I build suhosin. yellowness ~ # emerge --info Portage 2.1.8.3 (hardened/linux/amd64, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r7 x86_64) ================================================================= System uname: Linux-2.6.34-hardened-r7-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-1.12.13 Timestamp of tree: Mon, 27 Sep 2010 07:30:01 +0000 app-shells/bash: 4.0_p37 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 3.4.6-r2, 4.3.4, 4.4.4-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1 LOKI-EULA AdobeFlash-10.1" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests collision-protect distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://192.168.3.1/pub/gentoo" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en it" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/blueness" SYNC="rsync://192.168.3.1/portage" USE="X a52 acl acpi alisp alsa amd64 apache2 apm autoipd avahi bash-completion berkdb bindist bluetooth bookmarks bzip2 cairo cdr chm cli clisp consolekit cracklib crypt ctype cups curl cxx dbus device-mapper directfb djbfft dri dvd dvdr encode esd exif expat extras fam fbcon ffmpeg flac fortran galago gd gdbm gdu gif gmp gnome gnutls gs gstreamer gtk hal hardened hash iconv imap ipv6 java jpeg jpeg2k justify kdrive ldap libnotify loop-aes lzo mad mbox mdnsresponder-compat mmx modules mpeg mudflap multilib mysql nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh ncurses nfs nls ogg opengl openmp pam pcre pdf perl pic png policykit postgres ppds pppd python readline reflection samba secure-delete server session snmp sqlite sse sse2 ssl svg sysfs tcpd theora tiff tokenizer tracker truetype unicode ups urandom utils vorbis winbind wmf xcb xml xmlrpc xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en it" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv nouveau r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r18 x86_64) ================================================================= System uname: Linux-2.6.32-hardened-r18-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-1.12.13 Timestamp of tree: Mon, 27 Sep 2010 07:00:01 +0000 app-shells/bash: 4.0_p37 dev-lang/python: 2.6.5-r3, 3.1.2-r4 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://192.168.100.9/pub/gentoo" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/blueness" SYNC="rsync://192.168.100.7/portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session sse sse2 ssl suhosin sysfs tcpd unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Hitting the bug here too: somehow tries to load /usr/lib/php5/lib/extensions/no-debug-non-zts-20060613/suhosin.so when it should try /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so Uses: [ebuild R ] dev-lang/php-5.2.14 USE="apache2 bzip2 cgi cli crypt ctype filter force-cgi-redirect gd hash iconv imap ipv6 json mysql mysqli ncurses nls pcre pic posix readline reflection session simplexml spell spl ssl suhosin tokenizer unicode xml xmlreader xmlwriter zlib -adabas -bcmath -berkdb -birdstep -calendar -cdb -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -embed -empress -empress-bcs -esoob -exif -fdftk -firebird -flatfile -frontbase -ftp -gd-external -gdbm -gmp -inifile -interbase -iodbc -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 -oci8-instant-client -odbc -pcntl -pdo -postgres -qdbm -recode -sapdb -sharedext -sharedmem -snmp -soap -sockets -solid -sqlite -sybase-ct -sysvipc -threads -tidy -truetype -wddx -xmlrpc -xpm -xsl -yaz -zip" 8,875 kB [ebuild R ] dev-php5/suhosin-0.9.31 117 kB emerge --info: emerge --info Portage 2.1.8.3 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r9 i686) ================================================================= System uname: Linux-2.6.32-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13 Timestamp of tree: Mon, 27 Sep 2010 01:30:22 +0000 app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA dlj-1.1" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.udc.es/ ftp://ftp.rnl.ist.utl.pt/pub/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/ ftp://cesium.di.uminho.pt/pub/gentoo/ " LANG="es_ES.UTF-8" LC_ALL="es_ES.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="es es_ES" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/verlihub /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl bzip2 cli cracklib crypt cxx dri gpm hardened iconv ipv6 logrotate mmx modules mudflap ncurses nls nptl nptlonly ocamlopt openmp pam pcre pic pppd readline reflection session sse ssl sysfs unicode urandom x86 xattr zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_default authn_file authz_default authz_host autoindex cache cgi deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es es_ES" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Seems to be related to a bad php.ini file. Review your "extension_dir" directive. In my case changing to "extension_dir = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613" seems to work. (In reply to comment #9) > Seems to be related to a bad php.ini file. Review your "extension_dir" > directive. In my case changing to > "extension_dir = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613" > seems to work. > In this case, it should not be limited to only the suhosin extension. At least from PHP 5.3.3 (didn't test with 5.2.14), the best thing is to comment the extension_dir param. PHP will then use the same directory it installs extensions into when you use php-config. After some checks on the #gentoo-hardened with blueness seems that this is not the problem. Maybe my system is importing the libcrypt when running the php and yours isn't? Hi, the ini-file-issue has nothing to do with this bug, please open new bugs for other issues. If i add append-ldflags -Wl,-z,lazy in eclass/php-ext-source-re.eclass php-ext-source-r1_src_compile() after the has_concurrentmodphp check. The error gos away. Have no clue how the loading of extensions works in php. It is bad we need to use lazy bindings to make it work on the new php. @php you may have some clue how the loading of extensions works. (In reply to comment #13) > If i add append-ldflags -Wl,-z,lazy in eclass/php-ext-source-re.eclass > php-ext-source-r1_src_compile() after the has_concurrentmodphp check. > The error gos away. An alternative is to weaken the symbol which is causing the problem, in this case crypt using rebind from elfkickers: rebind -w /usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so crypt After doing some research there are two things that I'd like you to try: 1) Adding -lcrypt to the CFLAGS. 2) Changing a line on line 53 of suhosin-0.9.31/crypt.c with: __attribute__((weak)) extern char *crypt(const char *__key, const char *__salt); The first one will force the preload of the crypt library when loading the suhosin library (right now it is not there). The second one will mark the crypt symbol as weak. (Both solutions ought to be applied on dev-php5/suhosin) >
> The first one will force the preload of the crypt library when loading the
> suhosin library (right now it is not there). The second one will mark the crypt
> symbol as weak.
>
I'm not sure this is the correct approach. Passing -lcrypt to LDFLAGS will link against openssl and by-pass the built in crypt function. On line 983+ of php's configure.in checks for that:
dnl this has to be here to prevent the openssl crypt() from
dnl overriding the system provided crypt().
if test "$ac_cv_lib_crypt_crypt" = "yes"; then
EXTRA_LIBS="-lcrypt $EXTRA_LIBS -lcrypt"
fi
The go for the second one and mark the symbol as weak :P Okay the problem here is not really hardened; hardened is only showing right away that the extension is broken; for non-hardened systems (where php is not by itself linked against libcrypt for other reasons), the extension will fail at runtime when the crypt() function is being called (see [1]). Immediate bindings only ensures that the extension is not loaded, rather than aborting at runtime. I'm going to attach a patch for suhosin, and a patch for the ebuild to apply it, that solve the problem by properly linking against libcrypt as the extension needs. [1] http://blog.flameeyes.eu/2010/09/01/your-worst-enemy-undefined-symbols Created attachment 250027 [details, diff]
Patch for suhosin
Created attachment 250029 [details, diff]
Patch for the ebuild
Fixed in tree in 0.9.32.1-r1, hoping PHP team doesn't mind I got it through as QA. I also sent the patch upstream. (In reply to comment #22) > Fixed in tree in 0.9.32.1-r1, hoping PHP team doesn't mind I got it through as > QA. I also sent the patch upstream. > We don't mind. Thanks a lot for your time on this bug. Appreciate it. |