Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57686 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96397 invoked from network); 4 Feb 2012 09:47:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 09:47:19 -0000 Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.161] ([81.169.146.161:49525] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D9/0A-08838-6AEFC2F4 for ; Sat, 04 Feb 2012 04:47:19 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328348836; l=3097; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=5w26ywHe/JI6h7Trk4KYN6Vc8Ts=; b=cNCrqJPLtCZQ4gNCWZN+vSEt2Ret6gc+4NpzzIgSik9G4RuORrpIx2Xg+NvlMp2wJpc riQm0dIkzpinA/lvJQYbLxXjnoBdvHRrKuAyB4PLOVcyjfzla6tI+BQEpTimDtMjbM041 lkgsonx7q2txbXZQEnGUiJkP8MEcYCrEh7U= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (jimi mo35) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id a01950o147FkLK ; Sat, 4 Feb 2012 10:46:28 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Date: Sat, 4 Feb 2012 10:46:28 +0100 Cc: Stas Malyshev , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Transfer-Encoding: quoted-printable Message-ID: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> To: Pierre Joye X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Hello Pierre, >> See you do it again. You claim I believe EMET has been created = because of Suhosin. I never said that. Although one of the lead = developers of EMET compared it himself to it. >> You know some features of Suhosin are already in PHP and the HTTP = response splitting drama shows that when you break it there is a = secondary layer of defense that protects you in case you use Suhosin. >=20 > I was talking about the compilation security options which are similar > (in some extends) to what Suhosin does (for some features). Actually no. The key security iprovements in Suhosin-Patch have nothing = todo with anything the compile time options of VC offer. Suhosin does not attempt to do Stack Protection, or ASLR or NX. The only = thing that might be a compile time option is support for %n in format = strings. I think VC or libs do not allow that anymore. The problem with PHP is that is does a lot of things like implementing = their own heap manager from scratch, which is a security nightmare and = something a compiler cannot protect you from. >> Do you forget PHP 5.3.7 and PHP 5.3.9 both times there were security = vulnerabilities introduced right after the last RC. >> This is a sign that the PHP development process is still not healthy = at all. > So any software having security issues at one point or another is not = healthy? Again. We are not talking about software having security issues. We are = talking about software with 4,5 or whatever number of release = candidates. And then the security vulnerability is caused by an unreviewed commit to = the code after the last release candidate and before final. This is bad. And there is no point arguing this fact. > I consider the opposite, I am very careful when I see a software > without any discovered issues for a long time, a sign of lack of > activities and users. Of course it might mean exactly this. But it could also mean that the = software simply works and does not have major problems. >> You claim I have personal issues, while I repeatedly tell you the = technical reasons why I see it different then you. >=20 > Sorry but I do not see technical issues in this thread, as in > technical explanations about why one given feature is actually a good > thing. I did not see any either in the past discussions. I repeatedly tell you that a second layer of defense outside of the main = product is a good thing. You disagree. However defense in depth is widely accepted as the way to = go. Also having canaries in memory managers, while using more memory is a = known valid mitigation against buffer overflows. You can look it up on = the internet. Having pointer obfuscation is also a mitigation you see in glibc and = Microsoft (even in Internet Explorer). Whitelisting of destructors is a mitigation based on whitelisting. These are all basic prinicples of security mitigations. Why is there a = need to write up RFC about these things. They are widely accepted by = other software vendors/products. Regards, Stefan=