1 May 2009 · About 3 minutes read

PHP: Fixing Mismatched Canaries - How to Remove suhosin from Debian/Ubuntu Packages

30 August 2009: Will’s comment notes that Debian Squeeze now has an updated php5-suhosin package that may fix the problem I discuss below.

Having recently moved our development environment at work to a stock Debian 5 machine, some of our PHP code was throwing the following strange error in the apache (not the PHP) error log:

textcanary mismatch on efree() - heap overflow detected ...

After some research, it turns out this somewhat strange error is caused by the suhosin patch that is compiled into Debian’s default PHP5 package. In my case, it was some calls to mssql_query were throwing the error in Apache.

Updating the php.ini file to switch suhosin into simulation mode (as suggested by the documentation) didn’t have any effect, so I set about recompiling PHP5 into a new deb package without the suhosin patch.

This was the best tutorial I found for recompiling the deb. I’ve recreated the instructions below:

Create a working folder somewhere on your machine:

```bash$ mkdir ~/packages

$ cd ~/packages```

Install the Debian development packages

```bash$ sudo apt-get install devscripts

$ sudo apt-get install gcc debhelper fakeroot

$ apt-get source php5

$ sudo apt-get build-dep php5```

These lines will install the development helper scripts, and download the source files for PHP5 and its dependencies.

Remove references to the suhosin patch

```bash$ cd php5-x.y # This will depend on the version of PHP

$ rm debian/patches/suhosin.patch```

You now need to remove the instruction to include suhosin in the compiled package. I’ve used vim, but you can use any text editor.

bash$ sudo vim debian/patches/series

Once open, remove the line referencing suhosin.patch

Increment the package version

Incrementing the version will ensure that your custom package is installed by apt-get. You can use the debchange script to achieve this. You should avoid mentioning suhosin in the version name, and instead append a custom version string, e.g:

bash$ debchange -v 5.2.6-1debian.5.0~custom1 # 5.2.6 was my distro's default version. Again, change to match the default php version for your distrubution

Your text editor will open, and you should update the changelog to mention that you have removed the suhosin patch.

Compile and Build the Package

bash$ debuild

The build took a while on my machine, so now’s a great time to grab a brew.

Once finished, you should have a set of debs ready to install in the parent folder (../php5...).

```bash$ dpkg -i php5-x.y.z.deb php5-common-x.y.z.deb php5-sybase-x.y.z.deb

Include any additional packages you use, e.g. php-pear

php5 php5-common php5-sybase (the PHP5 MSSQL connector package)```

The build process also creates a libapache2-mod-php5 package which I had to install to use the custom of build of PHP5 through Apache using dpkg:

bash$ dpkg -i libapache2-mod-php5-x.y.z # Use the new PHP5 in Apache2

Via: Original Instructional Post[http://ambitonline.com/]

Chris Blunt
Chris Blunt@cblunt
Chris is the founder of Plymouth Software. As well as code and business, he enjoys being a Dad, swimming, and the fine art of drinking tea.