Re: PHP extensions FTBFS in jessie, c.f. #805222
Hello all,
I wanted to follow-up on the issue of building PHP extensions in jessie.
On Sat, Sep 07, 2019 at 11:34:46AM -0400, Roberto C. Sánchez wrote:
> Hello all,
>
> In working on an update for php-pecl-http I discovered that (all? nearly
> all?) PHP extensions fail to build in jessie because of a bug in php5.
> Specifically, the bug is #805222.
>
> It appears that jessie was originally released with PHP 5.6.7 and the
> bug in question became known when PHP 5.6.16 was in unstable. A fix was
> made to php5 and the separate php-pear package in unstable, but fixes
> were never made to jessie while it was stable or oldstable.
>
> It seems that this update of php-pecl-http is the first PECL extension
> security update in jessie, which is why this problem has not previously
> appeared. Though, the last comment on #805222 indicates that at least
> one user attempted to rebuild a PECL extension in jessie/stable and
> encountered the failure. No action was taken on his follow-up to the
> bug.
>
In exploring the history of php5 in unstable, version 5.6.16+dfsg-3
contained this changelog entry:
* Revert PEAR version to last working version from PHP 5.6.14
(Closes: #805222)
Based on that I downloaded the 5.6.14 release archive from upstream and
used that to replace the PEAR in the jessie version in the same way that
Ondřej did in that version.
> I have added php5 to dla-needed.txt and, unless there are objections, it
> is my intention to begin working on an update that addresses this bug in
> jessie. I would then test it in an environment where I could attempt to
> build php-pecl-http to 1) verify that php5 is actually fixed with regard
> to #805222, and 2) that php-pecl-http can be made to build from source.
>
After replacing PEAR as described above, I build php5, installed it in a
jessie chroot and then was able to successfully build php-pecl-http.
My proposed course of action is:
- Upload a php5 update with this change:
php5 (5.6.40+dfsg-0+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* Revert PEAR version to last working version from PHP 5.6.14
(Closes: #805222)
-- Roberto C. Sanchez <roberto@debian.org> Sun, 15 Sep 2019 07:02:48 -0400
- Release a DLA describing the reason for the update/change
- In addition to the CVE-2016-7398 patch to php-pecl-http, include this
change:
diff --git a/debian/control b/debian/control
index 9e1da87..db7b4b3 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,9 @@ Section: web
Priority: optional
Maintainer: Facundo Guerrero <guerremdq@gmail.com>
Uploaders: Ulises Vitulli <dererk@debian.org>
-Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev, dh-php5,
- pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath
+Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev (>= 5.6.40+dfsg-0+deb8u6), dh-php5,
+ pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath,
+ php-pear (>= 5.6.40+dfsg-0+deb8u6)
Standards-Version: 3.9.5
Homepage: http://pecl.php.net/package/pecl_http
- Proceed with the normal upload/advisory process for php-pecl-http
The main items where I would like to make sure I have not overlooked
something important are:
- Does updating php5 in this way make sense/seem appropriate?
- Does the change to Build-Depends in php-pecl-http seem
correct/necessary?
Unless I hear any objections or suggested alternatives I intend to go
ahead with the steps outlined above late this week.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: