problem: USE=hardenedphp emerge =mod_php-4.3.8 apache dies silently when reloaded. strace output: [..] 25234 socket(PF_UNIX, SOCK_DGRAM, 0) = 4 25234 connect(4, {sa_family=AF_UNIX, path="/dev/log"}, 110) = 0 25234 send(4, "php security-alert: Zend HashTable canary was overwritten (attacker \'\')\n", 72, 0) = 72 25234 close(4) = 0 25234 exit_group(1) = ? temporary solution: USE=-hardenedphp emerge mod_php USE flags: dev-php/mod_php-4.3.8 -X -apache2 -berkdb +crypt +curl -debug -debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp +hardenedphp -imap -informix -ipv6 -java +jpeg -kerberos -ldap -mcal -memlimit -mssql +mysql +nls -oci8 -odbc +pam -pdflib +png +postgres -qt +snmp +spell +ssl -tiff +truetype +xml2 -yaz net-www/apache-1.3.31-r2 +pam system: selinux with pic pie Portage 2.0.50-r9 (x86, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.6.7) ================================================================= System uname: 2.6.7 i686 Intel(R) Xeon(TM) CPU 3.06GHz Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer" DISTDIR="/var/share/www/vhosts/default/gentoo/distfiles" FEATURES="autoaddcvs ccache sandbox sfperms strict userpriv" GENTOO_MIRRORS="ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage_2" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="crypt curl gd gdbm hardened innodb jpeg libwww mysql ncurses nls pam perl pic pie png postgres python readline selinux snmp spell ssl truetype x86 xml xml2 zlib"
replicated on a non SE machine (with hardened pic pie hardenedphp) ...same results
stuart: hardenedphp is your baby. looks like it could be an upstream bug.
I'll take a look. I haven't added hardenedphp support for 4.3.8 though ... the USE flag should be ignored for the moment. Best regards, Stu
Okay, I've bumped the hardenedphp patch up to v0.2.2, which should fix the problem. It'll take an hour for the fix to reach your rsync mirror. Best regards, Stu
thanks stuart, the patch works. but another thing came up. upon emerging php-4.3.8 the md5 of the 0.2.1 patch is checked, not that of 0.2.2 that is actualy used. emerge php Calculating dependencies ...done! >>> emerge (1 of 1) dev-php/php-4.3.8 to / >>> md5 src_uri ;-) php-4.3.8.tar.bz2 >>> md5 src_uri ;-) php-4.3.6-includepath.diff >>> md5 src_uri ;-) hardened-php-4.3.8-0.2.1.patch.gz >>> Unpacking source... * If you have both freetds and mssql in your USE flags, parts of PHP * may not behave correctly, or may give strange warnings. You have * been warned! It's recommended that you pick ONE of them. For sybase * support, chose 'freetds'. For mssql support choose 'mssql'. >>> Unpacking php-4.3.8.tar.bz2 to /var/tmp/portage/php-4.3.8/work hardenedphp * Applying hardened-php-4.3.8-0.2.2.patch.gz... [ ok ] >>> Source unpacked.
