Debian Bug report logs - #582384
php5-suhosin: suhosin.memory_limit=0 ignores php memory_limit=-1

version graph

Package: php5-suhosin; Maintainer for php5-suhosin is (unknown);

Reported by: christoph@hilbert.alphasky.net

Date: Thu, 20 May 2010 12:00:02 UTC

Severity: normal

Tags: confirmed, upstream, wontfix

Found in version php-suhosin/0.9.31-1

Fixed in version 0.9.33-3+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Forwarded to user: "stefan.esser" domain: "sektioneins.de"

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#582384; Package php5-suhosin. (Thu, 20 May 2010 12:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to christoph@hilbert.alphasky.net:
New Bug report received and forwarded. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>. (Thu, 20 May 2010 12:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: christoph@hilbert.alphasky.net
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5-suhosin: suhosin.memory_limit=0 ignores php memory_limit=-1
Date: Thu, 20 May 2010 13:48:27 +0200
Package: php5-suhosin
Version: 0.9.31-1
Severity: normal

Hello,

the following script:

# cat test.php
<?php
ini_set("memory_limit", "256M");
echo "foobar\n";
?>

executed on the command line with the following parameters

# php5 --define memory_limit=-1 --define suhosin.memory_limit=0 test.php

leads to this syslog warning:

May 10 00:14:35 hilbert suhosin[8679]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '/home/christoph/test.php', line 3)


Suhosin should not warn because the script has the permission to use as much memory as it wants. The problem occurs with the same warning if I set memory_limit to -1 in php.ini

I think that this bug might be reponsible for the following cacti bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566609


Regards

Christoph Kling


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-suhosin depends on:
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  php5-cgi [phpapi-20090626]    5.3.2-1    server-side, HTML-embedded scripti
ii  php5-cli [phpapi-20090626]    5.3.2-1    command-line interpreter for the p

php5-suhosin recommends no packages.

php5-suhosin suggests no packages.

-- Configuration Files:
/etc/php5/conf.d/suhosin.ini changed [not included]

-- no debconf information

Added tag(s) upstream and confirmed. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Mon, 14 Jun 2010 14:54:06 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'user: "stefan.esser" domain: "sektioneins.de"'. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Mon, 14 Jun 2010 14:54:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#582384; Package php5-suhosin. (Mon, 09 Aug 2010 12:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>. (Mon, 09 Aug 2010 12:03:09 GMT) (full text, mbox, link).

Message #14 received at 582384@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>
To: christoph@hilbert.alphasky.net, 582384@bugs.debian.org
Subject: Re: Bug#582384: php5-suhosin: suhosin.memory_limit=0 ignores php memory_limit=-1
Date: Mon, 9 Aug 2010 14:00:56 +0200
[Message part 1 (text/plain, inline)]
On Thursday 20 May 2010 13:48:27 christoph@hilbert.alphasky.net wrote:
> the following script:
>
> # cat test.php
> <?php
> ini_set("memory_limit", "256M");
> echo "foobar\n";
> ?>
>
> executed on the command line with the following parameters
>
> # php5 --define memory_limit=-1 --define suhosin.memory_limit=0 test.php
>
> leads to this syslog warning:
>
> May 10 00:14:35 hilbert suhosin[8679]: ALERT - script tried to increase
> memory_limit to 268435456 bytes which is above the allowed value (attacker
> 'REMOTE_ADDR not set', file '/home/christoph/test.php', line 3)
>
>
> Suhosin should not warn because the script has the permission to use as
> much memory as it wants. The problem occurs with the same warning if I set
> memory_limit to -1 in php.ini

Citing Stefan Esser from irc:

the whole memory limit thing is bad anyway... initialising memory_limit to -1 
is just wrong... It abuses integer overflows etc...
[...]the fact that it abuses the -1 is a big unsigned number thingie

So I interpret that as "wontfix" by upstream.

With kind regards, Jan.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) wontfix. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Tue, 05 Apr 2011 18:39:07 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Fri, 02 Dec 2016 13:48:40 GMT) (full text, mbox, link).

Notification sent to christoph@hilbert.alphasky.net:
Bug acknowledged by developer. (Fri, 02 Dec 2016 13:48:40 GMT) (full text, mbox, link).

Message #21 received at 582384-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 521198-done@bugs.debian.org,582384-done@bugs.debian.org,584486-done@bugs.debian.org,602812-done@bugs.debian.org,618446-done@bugs.debian.org,647219-done@bugs.debian.org,658228-done@bugs.debian.org,666911-done@bugs.debian.org,674199-done@bugs.debian.org,675169-done@bugs.debian.org,675278-done@bugs.debian.org,675312-done@bugs.debian.org,677093-done@bugs.debian.org,680145-done@bugs.debian.org,696470-done@bugs.debian.org,702522-done@bugs.debian.org,718145-done@bugs.debian.org,752650-done@bugs.debian.org,811326-done@bugs.debian.org,821709-done@bugs.debian.org,
Cc: php-suhosin@packages.debian.org, php-suhosin@packages.qa.debian.org
Subject: Bug#846136: Removed package(s) from unstable
Date: Fri, 02 Dec 2016 13:47:44 +0000
Version: 0.9.33-3+rm

Dear submitter,

as the package php-suhosin has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/846136

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 31 Dec 2016 07:44:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 01:14:03 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.