Re: Status of php-mbstring vs. libonig
Hi,
On 25/11/2019 15:20, Salvatore Bonaccorso wrote:
> On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:
>> On 22/11/2019 21:23, Sylvain Beucler wrote:
>>> I see in 'embedded-code-copies':
>>>
>>> libonig
>>> - php5 5.3.2-1 (embed)
>>>
>>> (i.e. from 2010)
(Somehow I thought this was a documented exception, while this is the
version where this was fixed.)
>>> Jessie seems to properly link to libonig (dependency of e.g.
>>> libapache2-mod-php5).
>>>
>>> Stretch and Buster however (probably since the new phpX.X-mbstring
>>> package) do not link libonig anymore, despite build-depending on it, so
>>> I assume the library is either statically linked, or PHP's embedded copy
>>> is used.
>>>
>>> There are various vulnerabilities affected libonig at the moment, some
>>> properly reported against libonig, some against PHP (e.g.
>>> https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
>>>
>>> Do you know what the current situation is supposed to be?
>> Ping?
>>
>> AFAICS there's no --with-onig in the build process which means PHP is
>> using an embedded copy of libonig for Stretch & Buster.
>>
>> Should I file a bug against php7.0&php7.3 to clarify?
> This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
> all extensions with --disable-all and remove the various configure
> options related to disabling the extensions")[1] apparently in
> debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?
>
> [1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089
This seems to be the cause.
However this didn't affect phpx.x-sqlite, for instance, so it's probably
a refactoring bug.
I'll open a bug against php-7.0 and php-7.3.
Cheers!
Sylvain
Reply to: