[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PHP extensions FTBFS in jessie, c.f. #805222

Hello all,

I wanted to follow-up on the issue of building PHP extensions in jessie.

On Sat, Sep 07, 2019 at 11:34:46AM -0400, Roberto C. Sánchez wrote:
> Hello all,
> In working on an update for php-pecl-http I discovered that (all? nearly
> all?) PHP extensions fail to build in jessie because of a bug in php5.
> Specifically, the bug is #805222.
> It appears that jessie was originally released with PHP 5.6.7 and the
> bug in question became known when PHP 5.6.16 was in unstable.  A fix was
> made to php5 and the separate php-pear package in unstable, but fixes
> were never made to jessie while it was stable or oldstable.
> It seems that this update of php-pecl-http is the first PECL extension
> security update in jessie, which is why this problem has not previously
> appeared.  Though, the last comment on #805222 indicates that at least
> one user attempted to rebuild a PECL extension in jessie/stable and
> encountered the failure.  No action was taken on his follow-up to the
> bug.
In exploring the history of php5 in unstable, version 5.6.16+dfsg-3
contained this changelog entry:

  * Revert PEAR version to last working version from PHP 5.6.14
    (Closes: #805222)

Based on that I downloaded the 5.6.14 release archive from upstream and
used that to replace the PEAR in the jessie version in the same way that
Ondřej did in that version.

> I have added php5 to dla-needed.txt and, unless there are objections, it
> is my intention to begin working on an update that addresses this bug in
> jessie.  I would then test it in an environment where I could attempt to
> build php-pecl-http to 1) verify that php5 is actually fixed with regard
> to #805222, and 2) that php-pecl-http can be made to build from source.
After replacing PEAR as described above, I build php5, installed it in a
jessie chroot and then was able to successfully build php-pecl-http.

My proposed course of action is:

- Upload a php5 update with this change:

php5 (5.6.40+dfsg-0+deb8u6) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Revert PEAR version to last working version from PHP 5.6.14
    (Closes: #805222)

 -- Roberto C. Sanchez <roberto@debian.org>  Sun, 15 Sep 2019 07:02:48 -0400

- Release a DLA describing the reason for the update/change
- In addition to the CVE-2016-7398 patch to php-pecl-http, include this

diff --git a/debian/control b/debian/control
index 9e1da87..db7b4b3 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,9 @@ Section: web
 Priority: optional
 Maintainer: Facundo Guerrero <guerremdq@gmail.com>
 Uploaders: Ulises Vitulli <dererk@debian.org> 
-Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev, dh-php5, 
- pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath
+Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev (>= 5.6.40+dfsg-0+deb8u6), dh-php5, 
+ pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath,
+ php-pear (>= 5.6.40+dfsg-0+deb8u6)
 Standards-Version: 3.9.5
 Homepage: http://pecl.php.net/package/pecl_http

- Proceed with the normal upload/advisory process for php-pecl-http

The main items where I would like to make sure I have not overlooked
something important are:

- Does updating php5 in this way make sense/seem appropriate?
- Does the change to Build-Depends in php-pecl-http seem

Unless I hear any objections or suggested alternatives I intend to go
ahead with the steps outlined above late this week.



Roberto C. Sánchez

Reply to: