It was reported [1] that a flaw in how the PHP Suhosin extension handled transparent cookie encryption could possibly lead to arbitrary code execution in certain situations.

Quoting from the report:

During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.

If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.

Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.


This can only ne done with the feature is enabled (suhosin.cookie.encrypt).  This is corrected in upstream 0.9.33 [2].

[1] http://seclists.org/fulldisclosure/2012/Jan/295
[2] https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa