Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 332161 - dev-php5/suhosin shoud link against libcrypt and doesn't
Summary: dev-php5/suhosin shoud link against libcrypt and doesn't
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: PHP Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-11 00:10 UTC by Hanno Böck
Modified: 2010-10-18 06:29 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for suhosin (suhosin-0.9.32.1-libcrypt.patch,625 bytes, patch)
2010-10-09 14:22 UTC, Diego Elio Pettenò (RETIRED)
Details | Diff
Patch for the ebuild (suhosin-0.9.32.1.ebuild.patch,824 bytes, patch)
2010-10-09 14:23 UTC, Diego Elio Pettenò (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2010-08-11 00:10:23 UTC
I get messages like this in my php.log when compiling suhosin on a hardened system:

Aug 11 02:07:25 zucker php-cgi: PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so' - /usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so: undefined symbol: crypt in Unknown on line 0

switching with gcc-config to -vanilla, it works again.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2010-08-11 12:06:09 UTC
I'll get myself a hardened lxc here and look into it. Thanks for reporting!
Comment 2 Magnus Granberg gentoo-dev 2010-08-11 14:42:10 UTC
@hanno can we get a emerge --info and php version and use flags?
Comment 3 Hanno Böck gentoo-dev 2010-08-11 15:47:53 UTC
zucker ~ # emerge --info
Portage 2.1.8.3 (hardened/linux/amd64/10.0/no-multilib, gcc-4.4.3, glibc-2.11.2-r0, 2.6.32.8-grsec x86_64)
=================================================================
System uname: Linux-2.6.32.8-grsec-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_6000+-with-gentoo-1.12.13
Timestamp of tree: Tue, 10 Aug 2010 23:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p37
dev-lang/python:     2.6.5-r2, 3.1.2-r3
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.65
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.3-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA dlj-1.1"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=athlon64 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=athlon64 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache collision-protect distlocks fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict suidctl unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.UTF-8"
LC_ALL="de_DE.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/keks"
SYNC="rsync://rsync7.de.gentoo.org/gentoo-portage"
USE="7zip acl amd64 apache2 bash-completion bzip2 calendar cgi cli cracklib crypt ctype curl dri exif fam fastcgi filter force-cgi-redirect ftp gd geoip gif glibc-omitfp gpg gpgme hardened hash httpbind iconv idn imagemagick imap iproute2 ipv6 irc jpeg json justify leim logrotate mailwrapper memcache mhash mmap mmx mod_irc mod_muc mod_pubsub modules mpm-prefork muc mudflap mysql mysqli ncurses nls nptl nptlonly ocamlopt openmp openssl otr pam pcre pdf pdo perl php pic png pop pppd proxy pubsub python qdbm readline reflection ruby sensord session sidebar silvercity simplexml slang smime smtp sni soap spell spl sqlite sqlite3 sse sse2 ssl static-modules suexec suhosin svg sysfs tiff tokenizer tools truetype unicode urandom userlocales web webdav xattr xml xmlrpc xorg xsl xtended zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_file authn_anon authn_default authz_host authz_groupfile authz_user authz_owner authz_default auth_basic auth_digest cache include deflate log_config logio env mime_magic unique_id setenvif mime dav status autoindex info suexec cgi dav dav_fs dav_lock vhost_alias negotiation dir actions alias rewrite so charset_lite filter headers" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

zucker ~ # emerge -pv php

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] dev-lang/php-5.3.3-r1  USE="bzip2 calendar cgi cli crypt ctype curl exif fileinfo filter ftp gd hash iconv imap ipv6 json mysql mysqli nls pdo phar pic posix session simplexml soap spell sqlite sqlite3 ssl suhosin tidy tokenizer truetype unicode xml xmlreader xmlrpc xmlwriter xsl zip zlib (-adabas) -apache2 -bcmath -berkdb (-birdstep) -cdb -cjk -concurrentmodphp -curlwrappers -db2 (-dbmaker) -debug -doc -embed (-empress) (-empress-bcs) -enchant (-esoob) (-firebird) -flatfile -fpm (-frontbase) -gd-external -gdbm -gmp -inifile -interbase -intl -iodbc -kerberos -kolab -ldap -ldap-sasl -libedit -mssql -mysqlnd -oci8 -oci8-instant-client -odbc -pcntl -postgres -qdbm -readline -recode -sapdb -sharedext -sharedmem -snmp -sockets (-solid) (-sybase-ct) -sysvipc -threads -wddx -xpm" 0 kB
Comment 4 Magnus Granberg gentoo-dev 2010-08-24 15:25:24 UTC
inherit toolchain-func flag-o-matic
if gcc-specs-now ; then
 append-ldflags -Wl,-z,lazy
fi
try with that ebuild code
but it would be good if upstream support -z now
http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml (Issues arising from default NOW)
http://blog.flameeyes.eu/2010/08/18/compounded-issues-in-glibc-2-12
Comment 5 AlexG 2010-09-23 21:12:16 UTC
The issue is still valid as of september 23rd, with dev-lang/php-5.3.3-r1 and dev-php5/suhosin-0.9.32.1.

# php -v
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so' - /usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so: undefined symbol: crypt in Unknown on line 0

Any fix coming soon ???
Comment 6 Magnus Granberg gentoo-dev 2010-09-24 16:33:19 UTC
ebuild   R   ] dev-lang/php-5.3.3-r1  USE="apache2 berkdb bzip2 cli crypt ctype curl fileinfo filter gd gdbm hash iconv imap json nls phar pic posix postgres readline session simplexml ssl suhosin tokenizer truetype unicode xml xmlreader xmlwriter zlib (-adabas) -bcmath (-birdstep) -calendar -cdb -cgi -cjk -concurrentmodphp -curlwrappers -db2 (-dbmaker) -debug -doc -embed (-empress) (-empress-bcs) -enchant (-esoob) -exif (-firebird) -flatfile -fpm (-frontbase) -ftp -gd-external -gmp -inifile -interbase -intl -iodbc -ipv6 -kerberos -kolab -ldap -ldap-sasl -libedit -mssql -mysql -mysqli -mysqlnd -oci8 -oci8-instant-client -odbc -pcntl -pdo -qdbm -recode -sapdb -sharedext -sharedmem -snmp -soap -sockets (-solid) -spell -sqlite -sqlite3 (-sybase-ct) -sysvipc -threads -tidy -wddx -xmlrpc -xpm -xsl -zip" 0 kB
[ebuild   R   ] dev-php5/suhosin-0.9.32.1  0 kB

phpinfo()  Core PHP Version   5.3.3-pl1-gentoo
suhosin Suhosin Extension 0.9.32.1
mcrypt Version   2.5.8

jasmin ~ # emerge --info
Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r1 x86_64)
=================================================================
System uname: Linux-2.6.34-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E5420_@_2.50GHz-with-gentoo-2.0.1
Timestamp of tree: Thu, 23 Sep 2010 21:15:03 +0000
ccache version 2.4 [disabled]
app-shells/bash:     4.0_p37
dev-lang/python:     2.5.4-r2, 2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.2
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.4_p6, 1.9.6-r2, 1.10.2, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4-r2, 4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.35
ABI="amd64"
ACCEPT_KEYWORDS="amd64"

Looks like it works fine for me.
Have you reemerge all deps on php and suhosin?
Comment 7 Anthony Basile gentoo-dev 2010-09-27 22:08:59 UTC
Okay I hit this one twice on two different systems.  In both cases I rebuilt php *after* I build suhosin.

yellowness ~ # emerge --info
Portage 2.1.8.3 (hardened/linux/amd64, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r7 x86_64)
=================================================================
System uname: Linux-2.6.34-hardened-r7-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-1.12.13
Timestamp of tree: Mon, 27 Sep 2010 07:30:01 +0000
app-shells/bash:     4.0_p37
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       3.4.6-r2, 4.3.4, 4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA dlj-1.1 LOKI-EULA AdobeFlash-10.1"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests collision-protect distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://192.168.3.1/pub/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en it"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/blueness"
SYNC="rsync://192.168.3.1/portage"
USE="X a52 acl acpi alisp alsa amd64 apache2 apm autoipd avahi bash-completion berkdb bindist bluetooth bookmarks bzip2 cairo cdr chm cli clisp consolekit cracklib crypt ctype cups curl cxx dbus device-mapper directfb djbfft dri dvd dvdr encode esd exif expat extras fam fbcon ffmpeg flac fortran galago gd gdbm gdu gif gmp gnome gnutls gs gstreamer gtk hal hardened hash iconv imap ipv6 java jpeg jpeg2k justify kdrive ldap libnotify loop-aes lzo mad mbox mdnsresponder-compat mmx modules mpeg mudflap multilib mysql nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh ncurses nfs nls ogg opengl openmp pam pcre pdf perl pic png policykit postgres ppds pppd python readline reflection samba secure-delete server session snmp sqlite sse sse2 ssl svg sysfs tcpd theora tiff tokenizer tracker truetype unicode ups urandom utils vorbis winbind wmf xcb xml xmlrpc xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en it" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv nouveau r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r18 x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r18-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-1.12.13
Timestamp of tree: Mon, 27 Sep 2010 07:00:01 +0000
app-shells/bash:     4.0_p37
dev-lang/python:     2.6.5-r3, 3.1.2-r4
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://192.168.100.9/pub/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/blueness"
SYNC="rsync://192.168.100.7/portage"
USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session sse sse2 ssl suhosin sysfs tcpd unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 Francisco Blas Izquierdo Riera gentoo-dev 2010-09-28 00:17:06 UTC
Hitting the bug here too: somehow tries to load /usr/lib/php5/lib/extensions/no-debug-non-zts-20060613/suhosin.so when it should try /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so

Uses:
[ebuild   R   ] dev-lang/php-5.2.14  USE="apache2 bzip2 cgi cli crypt ctype filter force-cgi-redirect gd hash iconv imap ipv6 json mysql mysqli ncurses nls pcre pic posix readline reflection session simplexml spell spl ssl suhosin tokenizer unicode xml xmlreader xmlwriter zlib -adabas -bcmath -berkdb -birdstep -calendar -cdb -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -embed -empress -empress-bcs -esoob -exif -fdftk -firebird -flatfile -frontbase -ftp -gd-external -gdbm -gmp -inifile -interbase -iodbc -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 -oci8-instant-client -odbc -pcntl -pdo -postgres -qdbm -recode -sapdb -sharedext -sharedmem -snmp -soap -sockets -solid -sqlite -sybase-ct -sysvipc -threads -tidy -truetype -wddx -xmlrpc -xpm -xsl -yaz -zip" 8,875 kB                                                                              [ebuild   R   ] dev-php5/suhosin-0.9.31  117 kB

emerge --info:
emerge --info
Portage 2.1.8.3 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r9 i686)
=================================================================
System uname: Linux-2.6.32-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13
Timestamp of tree: Mon, 27 Sep 2010 01:30:22 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA dlj-1.1"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.udc.es/ ftp://ftp.rnl.ist.utl.pt/pub/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/ ftp://cesium.di.uminho.pt/pub/gentoo/ "
LANG="es_ES.UTF-8"
LC_ALL="es_ES.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="es es_ES"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/verlihub /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl bzip2 cli cracklib crypt cxx dri gpm hardened iconv ipv6 logrotate mmx modules mudflap ncurses nls nptl nptlonly ocamlopt openmp pam pcre pic pppd readline reflection session sse ssl sysfs unicode urandom x86 xattr zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1       emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_default authn_file authz_default authz_host autoindex cache cgi deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es es_ES" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel  mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage      siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware     voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 9 Francisco Blas Izquierdo Riera gentoo-dev 2010-09-28 00:23:39 UTC
Seems to be related to a bad php.ini file. Review your "extension_dir" directive. In my case changing to 
"extension_dir = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613" seems to work.
Comment 10 Ole Markus With (RETIRED) gentoo-dev 2010-09-28 04:50:24 UTC
(In reply to comment #9)
> Seems to be related to a bad php.ini file. Review your "extension_dir"
> directive. In my case changing to 
> "extension_dir = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613"
> seems to work.
> 

In this case, it should not be limited to only the suhosin extension.
At least from PHP 5.3.3 (didn't test with 5.2.14), the best thing is to comment the extension_dir param. PHP will then use the same directory it installs extensions into when you use php-config.
Comment 11 Francisco Blas Izquierdo Riera gentoo-dev 2010-09-28 14:22:44 UTC
After some checks on the #gentoo-hardened with blueness seems that this is not the problem.

Maybe my system is importing the libcrypt when running the php and yours isn't?
Comment 12 Hanno Böck gentoo-dev 2010-09-30 09:31:31 UTC
Hi, the ini-file-issue has nothing to do with this bug, please open new bugs for other issues.
Comment 13 Magnus Granberg gentoo-dev 2010-09-30 20:57:12 UTC
If i add append-ldflags -Wl,-z,lazy in eclass/php-ext-source-re.eclass php-ext-source-r1_src_compile() after the has_concurrentmodphp check.
The error gos away.
Have no clue how the loading of extensions works in php.
It is bad we need to use lazy bindings to make it work on the new php.
@php you may have some clue how the loading of extensions works.
Comment 14 Anthony Basile gentoo-dev 2010-10-01 00:17:19 UTC
(In reply to comment #13)
> If i add append-ldflags -Wl,-z,lazy in eclass/php-ext-source-re.eclass
> php-ext-source-r1_src_compile() after the has_concurrentmodphp check.
> The error gos away.

An alternative is to weaken the symbol which is causing the problem, in this case crypt using rebind from elfkickers:

rebind -w /usr/lib64/php5/lib/extensions/no-debug-non-zts-20090626/suhosin.so crypt





Comment 15 Francisco Blas Izquierdo Riera gentoo-dev 2010-10-04 00:41:30 UTC
After doing some research there are two things that I'd like you to try:
1) Adding -lcrypt to the CFLAGS.
2) Changing a line on line 53 of suhosin-0.9.31/crypt.c with:
__attribute__((weak)) extern char *crypt(const char *__key, const char *__salt);

The first one will force the preload of the crypt library when loading the suhosin library (right now it is not there). The second one will mark the crypt symbol as weak.
Comment 16 Francisco Blas Izquierdo Riera gentoo-dev 2010-10-04 04:19:44 UTC
(Both solutions ought to be applied on dev-php5/suhosin)
Comment 17 Anthony Basile gentoo-dev 2010-10-04 21:08:08 UTC
> 
> The first one will force the preload of the crypt library when loading the
> suhosin library (right now it is not there). The second one will mark the crypt
> symbol as weak.
> 

I'm not sure this is the correct approach.  Passing -lcrypt to LDFLAGS will link against openssl and by-pass the built in crypt function.  On line 983+ of php's configure.in checks for that:

dnl this has to be here to prevent the openssl crypt() from
dnl overriding the system provided crypt().
if test "$ac_cv_lib_crypt_crypt" = "yes"; then
  EXTRA_LIBS="-lcrypt $EXTRA_LIBS -lcrypt"
fi

Comment 18 Francisco Blas Izquierdo Riera gentoo-dev 2010-10-04 22:10:43 UTC
The go for the second one and mark the symbol as weak :P
Comment 19 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-09 14:22:31 UTC
Okay the problem here is not really hardened; hardened is only showing right away that the extension is broken; for non-hardened systems (where php is not by itself linked against libcrypt for other reasons), the extension will fail at runtime when the crypt() function is being called (see [1]). Immediate bindings only ensures that the extension is not loaded, rather than aborting at runtime.

I'm going to attach a patch for suhosin, and a patch for the ebuild to apply it, that solve the problem by properly linking against libcrypt as the extension needs.

[1] http://blog.flameeyes.eu/2010/09/01/your-worst-enemy-undefined-symbols
Comment 20 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-09 14:22:50 UTC
Created attachment 250027 [details, diff]
Patch for suhosin
Comment 21 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-09 14:23:20 UTC
Created attachment 250029 [details, diff]
Patch for the ebuild
Comment 22 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-11 23:25:18 UTC
Fixed in tree in 0.9.32.1-r1, hoping PHP team doesn't mind I got it through as QA. I also sent the patch upstream.
Comment 23 Ole Markus With (RETIRED) gentoo-dev 2010-10-18 06:29:30 UTC
(In reply to comment #22)
> Fixed in tree in 0.9.32.1-r1, hoping PHP team doesn't mind I got it through as
> QA. I also sent the patch upstream.
> 

We don't mind. Thanks a lot for your time on this bug. Appreciate it.