Status of php-mbstring vs. libonig

To: debian-security@lists.debian.org
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Status of php-mbstring vs. libonig
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 22 Nov 2019 21:23:30 +0100
Message-id: <[🔎] b2671e5b-9ad8-e174-6489-fe4d2a6b8736@beuc.net>

Hi,

I see in 'embedded-code-copies':

  libonig
      - php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g.
libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.

There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Status of php-mbstring vs. libonig
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: libapache2-mod-auth-openidc
Next by Date: RFT: Linux 3.16.78 package
Previous by thread: Re: libapache2-mod-auth-openidc
Next by thread: Re: Status of php-mbstring vs. libonig
Index(es):
- Date
- Thread