Bug#691910: unblock: php5/5.4.4-9
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php5
Hi,
this is the beast with ten horns :-/.
The -8 update fixes:
- one security related bug (extended DES not detected when salt
didn't have lenght == 9)
- one security RC bug (PHP files exposed due typoed IfModule
directive in apache2filter SAPI)
- fixes libphp5-embed, so it can be used by external applications
The -9 update fixes:
- adds more text about the mess created by php5 mime types removed
from mime-support package, there could be another update coming,
but there is still no agreement what solution would be the best.
- adds logrotate script for php5-fpm so the log file doesn't fill
up the disk.
- adds Breaks: php5-suhosin, so it's explicit that php5-suhosin
doesn't work with php5.4.
$ diffstat ~/tmp/php5_5.4.4-9.debdiff
debian/patches/expose_all_built_and_installed_apis.patch | 27 +++++++
debian/patches/use_system_crypt_fixes.patch | 11 ---
php5-5.4.4/debian/changelog | 23 ++++++
php5-5.4.4/debian/control | 3
php5-5.4.4/debian/libapache2-mod-php5.conf | 52 +++++++--------
php5-5.4.4/debian/libapache2-mod-php5filter.conf | 20 ++---
php5-5.4.4/debian/patches/006-debian_quirks.patch | 6 +
php5-5.4.4/debian/patches/php_crypt_revamped.patch | 5 -
php5-5.4.4/debian/patches/series | 2
php5-5.4.4/debian/php5-cgi.NEWS | 16 +++-
php5-5.4.4/debian/php5-fpm.logrotate | 11 ---
php5-5.4.4/debian/php5-sapi.lintian-overrides | 2
php5-5.4.4/debian/rules | 1
13 files changed, 112 insertions(+), 67 deletions(-)
unblock php5/5.4.4-9
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u php5-5.4.4/debian/php5-fpm.logrotate php5-5.4.4/debian/php5-fpm.logrotate
--- php5-5.4.4/debian/php5-fpm.logrotate
+++ php5-5.4.4/debian/php5-fpm.logrotate
@@ -1,16 +1,11 @@
-# cat /etc/logrotate.d/php5-fpm
/var/log/php5-fpm.log {
+ rotate 12
weekly
missingok
- rotate 7
+ notifempty
compress
delaycompress
- notifempty
postrotate
- if [ -x /usr/sbin/invoke-rc.d ]; then \
- invoke-rc.d php5-fpm reopen-logs > /dev/null 2>&1; \
- else \
- /etc/init.d/php5-fpm reopen-logs > /dev/null 2>&1; \
- fi; \
+ invoke-rc.d php5-fpm reopen-logs > /dev/null
endscript
}
diff -u php5-5.4.4/debian/rules php5-5.4.4/debian/rules
--- php5-5.4.4/debian/rules
+++ php5-5.4.4/debian/rules
@@ -529,6 +529,7 @@
# install embed SAPI
cd embed-build && make install-headers install-build install-sapi install-programs INSTALL_ROOT=$(CURDIR)/debian/libphp5-embed
+ rm $(CURDIR)/debian/libphp5-embed/usr/lib/php5/*.la
# install the apache modules' files
cd apache2-build && $(MAKE) install-headers install-build install-modules install-programs INSTALL_ROOT=$(CURDIR)/debian/libapache2-mod-php5
diff -u php5-5.4.4/debian/libapache2-mod-php5filter.conf php5-5.4.4/debian/libapache2-mod-php5filter.conf
--- php5-5.4.4/debian/libapache2-mod-php5filter.conf
+++ php5-5.4.4/debian/libapache2-mod-php5filter.conf
@@ -1,11 +1,9 @@
-<IfModule mod_php5.c>
- <FilesMatch ".+\.ph(p3?|tml)$">
- SetInputFilter PHP
- SetOutputFilter PHP
- </FilesMatch>
- # Deny access to files without filename (e.g. '.php')
- <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
- Order Deny,Allow
- Deny from all
- </FilesMatch>
-</IfModule>
+<FilesMatch ".+\.ph(p3?|tml)$">
+ SetInputFilter PHP
+ SetOutputFilter PHP
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+ Order Deny,Allow
+ Deny from all
+</FilesMatch>
diff -u php5-5.4.4/debian/php5-sapi.lintian-overrides php5-5.4.4/debian/php5-sapi.lintian-overrides
--- php5-5.4.4/debian/php5-sapi.lintian-overrides
+++ php5-5.4.4/debian/php5-sapi.lintian-overrides
@@ -11,6 +11,8 @@
php5-cli: embedded-library usr/bin/php5: file
php5-fpm: embedded-library usr/sbin/php5-fpm: file
libphp5-embed: embedded-library usr/lib/libphp5.so: file
+libphp5-embed: embedded-library usr/lib/php5/libphp5-*.so: file
+libphp5-embed: missing-dependency-on-phpapi
libapache2-mod-php5: embedded-library ./usr/lib/apache2/modules/libphp5.so: file
libapache2-mod-php5filter: embedded-library ./usr/lib/apache2/modules/libphp5filter.so: file
php5-cgi: embedded-library ./usr/bin/php5-cgi: file
diff -u php5-5.4.4/debian/php5-cgi.NEWS php5-5.4.4/debian/php5-cgi.NEWS
--- php5-5.4.4/debian/php5-cgi.NEWS
+++ php5-5.4.4/debian/php5-cgi.NEWS
@@ -1,8 +1,8 @@
php5 (5.4.4-5) unstable; urgency=low
Please be aware that the mime-support package has dropped non-standard
- definitions for PHP that might affect any systems using PHP 5 running
- as CGI or FastCGI. The following definitions were dropped:
+ definitions for PHP, which might affect any systems using PHP 5
+ running as CGI or FastCGI. The following definitions were dropped:
application/x-httpd-php phtml pht php
application/x-httpd-php-source phps
@@ -14,10 +14,20 @@
The php5-cgi package mitigates any known issues by creating a (dummy)
apache2 module php5_cgi with a configuration containing handlers for
all previously defined extensions. Even though we believe that this
- configuration should keep your PHP scripts interpreted, it might be a
+ configuration should keep your PHP scripts working, it might be a
good idea to check your apache2 site-wide configuration as well as
any specific PHP configuration for websites running on your system.
+ The new (dummy) php5_cgi configuration uses the SetHandler directive,
+ which might interfere with existing custom configurations such as
+ FastCGI (mod_fcgid or mod_fastcgi). If so, you can reenable the
+ existing functionality of your custom configuration by disabling the
+ php5_cgi module (a2dismod php5_cgi), but you are also advised to
+ check whether your custom configuration is vulnerable to foo.php.jpeg
+ attacks. The php5_cgi configuration snippet can be used as a base -
+ it's important to use the FilesMatch or Files directive to limit the
+ handling to the last extension.
+
As far as we know definitions from the mime-support packages are not
used in any other webserver included in Debian, but it might affect
any application which relies on system MIME types to interpret PHP
diff -u php5-5.4.4/debian/control php5-5.4.4/debian/control
--- php5-5.4.4/debian/control
+++ php5-5.4.4/debian/control
@@ -105,7 +105,8 @@
phpreports (<= 0.4.9-2),
php-kolab-filter (<= 0.1.9-4),
horde3 (<= 3.3.12+debian0-1),
- moodle (<= 1.9.9.dfsg2-4)
+ moodle (<= 1.9.9.dfsg2-4),
+ php5-suhosin
Description: Common files for packages built from the php5 source
This package contains the documentation and example files relevant to all
the other packages built from the php5 source.
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,26 @@
+php5 (5.4.4-9) unstable; urgency=low
+
+ * Add logrotate script for php5-fpm (Closes: #683415)
+ * Add more warning text about new php5_cgi apache2 module (Closes: #687307)
+ * Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 26 Oct 2012 14:32:02 +0200
+
+php5 (5.4.4-8) unstable; urgency=low
+
+ * Remove IfModule to always interpret PHP if the module is enabled
+ (Closes: #690413)
+ * Fix extended DES crypt() when salt != 9 (Closes: #687031)
+ * Fix libphp5-embed linking (Closes: #690173):
+ + Expose all installed (and not built time) SAPIs via php-config
+ --php-sapis
+ + Add /usr/lib/php5 to php-config --ldflags output to allow linking
+ with libphp5.so
+ + Remove useless libtool file in libphp5-embed
+ * Add new lintian-overrides for libphp5-embed
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 25 Oct 2012 13:23:08 +0200
+
php5 (5.4.4-7) unstable; urgency=low
* Add explanatory text about MultiViews negotiation support to
diff -u php5-5.4.4/debian/libapache2-mod-php5.conf php5-5.4.4/debian/libapache2-mod-php5.conf
--- php5-5.4.4/debian/libapache2-mod-php5.conf
+++ php5-5.4.4/debian/libapache2-mod-php5.conf
@@ -1,29 +1,27 @@
-<IfModule mod_php5.c>
- <FilesMatch ".+\.ph(p[345]?|t|tml)$">
- SetHandler application/x-httpd-php
- </FilesMatch>
- <FilesMatch ".+\.phps$">
- SetHandler application/x-httpd-php-source
- # Deny access to raw php sources by default
- # To re-enable it's recommended to enable access to the files
- # only in specific virtual host or directory
- Order Deny,Allow
- Deny from all
- </FilesMatch>
- # Deny access to files without filename (e.g. '.php')
- <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
- Order Deny,Allow
- Deny from all
- </FilesMatch>
+<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+ SetHandler application/x-httpd-php
+</FilesMatch>
+<FilesMatch ".+\.phps$">
+ SetHandler application/x-httpd-php-source
+ # Deny access to raw php sources by default
+ # To re-enable it's recommended to enable access to the files
+ # only in specific virtual host or directory
+ Order Deny,Allow
+ Deny from all
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+ Order Deny,Allow
+ Deny from all
+</FilesMatch>
- # Running PHP scripts in user directories is disabled by default
- #
- # To re-enable PHP in user directories comment the following lines
- # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
- # prevents .htaccess files from disabling it.
- <IfModule mod_userdir.c>
- <Directory /home/*/public_html>
- php_admin_value engine Off
- </Directory>
- </IfModule>
+# Running PHP scripts in user directories is disabled by default
+#
+# To re-enable PHP in user directories comment the following lines
+# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
+# prevents .htaccess files from disabling it.
+<IfModule mod_userdir.c>
+ <Directory /home/*/public_html>
+ php_admin_value engine Off
+ </Directory>
</IfModule>
reverted:
--- php5-5.4.4/debian/patches/use_system_crypt_fixes.patch
+++ php5-5.4.4.orig/debian/patches/use_system_crypt_fixes.patch
@@ -1,11 +0,0 @@
---- a/ext/standard/tests/strings/bug51059.phpt
-+++ b/ext/standard/tests/strings/bug51059.phpt
-@@ -3,7 +3,7 @@ Bug #51059 crypt() segfaults on certain
- --FILE--
- <?php
- $res = crypt(b'a', b'_');
--if ($res === b'*0' || $res === b'*1') echo 'OK';
-+if ($res === b'__DAZ.Z4ErJDo') echo 'OK';
- else echo 'Not OK';
-
- ?>
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -38,7 +38,6 @@
use_embedded_timezonedb_fixes.patch
fix_broken_sha2_test.patch
php_crypt_revamped.patch
-use_system_crypt_fixes.patch
session_save_path.patch
#install-programs_parallel_FTBFS.patch
php-fpm-man-section-and-cleanup.patch
@@ -77,0 +77 @@
+expose_all_built_and_installed_apis.patch
diff -u php5-5.4.4/debian/patches/php_crypt_revamped.patch php5-5.4.4/debian/patches/php_crypt_revamped.patch
--- php5-5.4.4/debian/patches/php_crypt_revamped.patch
+++ php5-5.4.4/debian/patches/php_crypt_revamped.patch
@@ -289,7 +289,7 @@
static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-@@ -150,160 +143,158 @@ static void php_to64(char *s, long v, in
+@@ -150,160 +143,157 @@ static void php_to64(char *s, long v, in
PHP_FUNCTION(crypt)
{
char salt[PHP_MAX_SALT_LEN + 1];
@@ -490,8 +490,7 @@
-
- memset(output, 0, PHP_MAX_SALT_LEN + 1);
+#endif
-+ } else if (salt[0]=='_' &&
-+ salt_len == 9) {
++ } else if (salt[0]=='_') {
+ /* CRYPT_EXT_DES */
+#if PHP_EXT_DES_CRYPT
+# error Using system extended DES crypt function, should not happen on Debian system
diff -u php5-5.4.4/debian/patches/006-debian_quirks.patch php5-5.4.4/debian/patches/006-debian_quirks.patch
--- php5-5.4.4/debian/patches/006-debian_quirks.patch
+++ php5-5.4.4/debian/patches/006-debian_quirks.patch
@@ -194,17 +194,19 @@
scripts/phpize.m4 \
--- a/scripts/php-config.in
+++ b/scripts/php-config.in
-@@ -6,8 +6,8 @@ datarootdir="@datarootdir@"
+@@ -6,9 +6,9 @@ datarootdir="@datarootdir@"
exec_prefix="@exec_prefix@"
version="@PHP_VERSION@"
vernum="@PHP_VERSION_ID@"
-include_dir="@includedir@/php"
-includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib"
+-ldflags="@PHP_LDFLAGS@"
+include_dir="@includedir@/php5"
+includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib $(getconf LFS_CFLAGS)"
- ldflags="@PHP_LDFLAGS@"
++ldflags="-L$prefix/lib/php5 @PHP_LDFLAGS@"
libs="@EXTRA_LIBS@"
extension_dir='@EXTENSION_DIR@'
+ man_dir=`eval echo @mandir@`
--- a/scripts/phpize.in
+++ b/scripts/phpize.in
@@ -4,8 +4,8 @@
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/expose_all_built_and_installed_apis.patch
+++ php5-5.4.4/debian/patches/expose_all_built_and_installed_apis.patch
@@ -0,0 +1,27 @@
+--- a/scripts/man1/php-config.1.in
++++ b/scripts/man1/php-config.1.in
+@@ -44,7 +44,7 @@ Full path to php CLI or CGI binary
+ .TP
+ .PD 0
+ .B \-\-php-sapis
+-Show all SAPI modules available
++Show all SAPI modules installed on the Debian system
+ .TP
+ .PD 0
+ .B \-\-configure-options
+--- a/scripts/php-config.in
++++ b/scripts/php-config.in
+@@ -18,9 +18,12 @@ exe_extension="@EXEEXT@"
+ php_cli_binary=NONE
+ php_cgi_binary=NONE
+ configure_options="@CONFIGURE_OPTIONS@"
+-php_sapis="@PHP_INSTALLED_SAPIS@"
++#php_sapis="@PHP_INSTALLED_SAPIS@"
+ phpapi="@DEBIAN_PHP_API@"
+
++# Query the dpkg database for available PHP5 sapis
++php_sapis=$(dpkg-query -W -f='${binary:Package} ' libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed 2>/dev/null | sed -e 's|libapache2-mod-php5|apache2handler|;s|libapache2-mod-php5filter|apache2filter|;s|php5-cgi|cgi|;s|php5-cli|cli|;s|php5-fpm|fpm|;s|libphp5-embed|embed|;')
++
+ # Set php_cli_binary and php_cgi_binary if available
+ for sapi in $php_sapis; do
+ case $sapi in
Reply to: