Re: Status of php-mbstring vs. libonig
On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:
> On 22/11/2019 21:23, Sylvain Beucler wrote:
> > I see in 'embedded-code-copies':
> > libonig
> > - php5 5.3.2-1 (embed)
> > (i.e. from 2010)
> > Jessie seems to properly link to libonig (dependency of e.g.
> > libapache2-mod-php5).
> > Stretch and Buster however (probably since the new phpX.X-mbstring
> > package) do not link libonig anymore, despite build-depending on it, so
> > I assume the library is either statically linked, or PHP's embedded copy
> > is used.
> > There are various vulnerabilities affected libonig at the moment, some
> > properly reported against libonig, some against PHP (e.g.
> > https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
> > Do you know what the current situation is supposed to be?
> AFAICS there's no --with-onig in the build process which means PHP is
> using an embedded copy of libonig for Stretch & Buster.
> Should I file a bug against php7.0&php7.3 to clarify?
This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions") apparently in
debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?