[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#691910: marked as done (unblock: php5/5.4.4-9)

Your message dated Thu, 01 Nov 2012 20:58:21 +0000
with message-id <1351803501.13272.11.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#691910: unblock: php5/5.4.4-9
has caused the Debian Bug report #691910,
regarding unblock: php5/5.4.4-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
691910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691910
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php5

Hi,

this is the beast with ten horns :-/.

The -8 update fixes:

 - one security related bug (extended DES not detected when salt
   didn't have lenght == 9)
 - one security RC bug (PHP files exposed due typoed IfModule
   directive in apache2filter SAPI)
 - fixes libphp5-embed, so it can be used by external applications

The -9 update fixes:

 - adds more text about the mess created by php5 mime types removed
   from mime-support package, there could be another update coming,
   but there is still no agreement what solution would be the best.
 - adds logrotate script for php5-fpm so the log file doesn't fill
   up the disk.
 - adds Breaks: php5-suhosin, so it's explicit that php5-suhosin
   doesn't work with php5.4.

$ diffstat ~/tmp/php5_5.4.4-9.debdiff
 debian/patches/expose_all_built_and_installed_apis.patch |   27 +++++++
 debian/patches/use_system_crypt_fixes.patch              |   11 ---
 php5-5.4.4/debian/changelog                              |   23 ++++++
 php5-5.4.4/debian/control                                |    3 
 php5-5.4.4/debian/libapache2-mod-php5.conf               |   52 +++++++--------
 php5-5.4.4/debian/libapache2-mod-php5filter.conf         |   20 ++---
 php5-5.4.4/debian/patches/006-debian_quirks.patch        |    6 +
 php5-5.4.4/debian/patches/php_crypt_revamped.patch       |    5 -
 php5-5.4.4/debian/patches/series                         |    2 
 php5-5.4.4/debian/php5-cgi.NEWS                          |   16 +++-
 php5-5.4.4/debian/php5-fpm.logrotate                     |   11 ---
 php5-5.4.4/debian/php5-sapi.lintian-overrides            |    2 
 php5-5.4.4/debian/rules                                  |    1 
 13 files changed, 112 insertions(+), 67 deletions(-)

unblock php5/5.4.4-9

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u php5-5.4.4/debian/php5-fpm.logrotate php5-5.4.4/debian/php5-fpm.logrotate
--- php5-5.4.4/debian/php5-fpm.logrotate
+++ php5-5.4.4/debian/php5-fpm.logrotate
@@ -1,16 +1,11 @@
-# cat /etc/logrotate.d/php5-fpm
 /var/log/php5-fpm.log {
+	rotate 12
 	weekly
 	missingok
-	rotate 7
+	notifempty
 	compress
 	delaycompress
-	notifempty
 	postrotate
-	     if [ -x /usr/sbin/invoke-rc.d ]; then \
-		invoke-rc.d php5-fpm reopen-logs > /dev/null 2>&1; \
-	     else \
-		/etc/init.d/php5-fpm reopen-logs > /dev/null 2>&1; \
-	     fi; \
+		invoke-rc.d php5-fpm reopen-logs > /dev/null
 	endscript
 }
diff -u php5-5.4.4/debian/rules php5-5.4.4/debian/rules
--- php5-5.4.4/debian/rules
+++ php5-5.4.4/debian/rules
@@ -529,6 +529,7 @@
 
 	# install embed SAPI
 	cd embed-build && make install-headers install-build install-sapi install-programs INSTALL_ROOT=$(CURDIR)/debian/libphp5-embed
+	rm $(CURDIR)/debian/libphp5-embed/usr/lib/php5/*.la
 
 	# install the apache modules' files
 	cd apache2-build && $(MAKE) install-headers install-build install-modules install-programs INSTALL_ROOT=$(CURDIR)/debian/libapache2-mod-php5
diff -u php5-5.4.4/debian/libapache2-mod-php5filter.conf php5-5.4.4/debian/libapache2-mod-php5filter.conf
--- php5-5.4.4/debian/libapache2-mod-php5filter.conf
+++ php5-5.4.4/debian/libapache2-mod-php5filter.conf
@@ -1,11 +1,9 @@
-<IfModule mod_php5.c>
-    <FilesMatch ".+\.ph(p3?|tml)$">
-	SetInputFilter PHP
-	SetOutputFilter PHP
-    </FilesMatch>
-    # Deny access to files without filename (e.g. '.php')
-    <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
-        Order Deny,Allow
-        Deny from all
-    </FilesMatch>
-</IfModule>
+<FilesMatch ".+\.ph(p3?|tml)$">
+    SetInputFilter PHP
+    SetOutputFilter PHP
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
diff -u php5-5.4.4/debian/php5-sapi.lintian-overrides php5-5.4.4/debian/php5-sapi.lintian-overrides
--- php5-5.4.4/debian/php5-sapi.lintian-overrides
+++ php5-5.4.4/debian/php5-sapi.lintian-overrides
@@ -11,6 +11,8 @@
 php5-cli: embedded-library usr/bin/php5: file
 php5-fpm: embedded-library usr/sbin/php5-fpm: file
 libphp5-embed: embedded-library usr/lib/libphp5.so: file
+libphp5-embed: embedded-library usr/lib/php5/libphp5-*.so: file
+libphp5-embed: missing-dependency-on-phpapi
 libapache2-mod-php5: embedded-library ./usr/lib/apache2/modules/libphp5.so: file
 libapache2-mod-php5filter: embedded-library ./usr/lib/apache2/modules/libphp5filter.so: file
 php5-cgi: embedded-library ./usr/bin/php5-cgi: file
diff -u php5-5.4.4/debian/php5-cgi.NEWS php5-5.4.4/debian/php5-cgi.NEWS
--- php5-5.4.4/debian/php5-cgi.NEWS
+++ php5-5.4.4/debian/php5-cgi.NEWS
@@ -1,8 +1,8 @@
 php5 (5.4.4-5) unstable; urgency=low
 
  Please be aware that the mime-support package has dropped non-standard
- definitions for PHP that might affect any systems using PHP 5 running
- as CGI or FastCGI.  The following definitions were dropped:
+ definitions for PHP, which might affect any systems using PHP 5
+ running as CGI or FastCGI.  The following definitions were dropped:
  
   application/x-httpd-php                        phtml pht php
   application/x-httpd-php-source                 phps
@@ -14,10 +14,20 @@
  The php5-cgi package mitigates any known issues by creating a (dummy)
  apache2 module php5_cgi with a configuration containing handlers for
  all previously defined extensions.  Even though we believe that this
- configuration should keep your PHP scripts interpreted, it might be a
+ configuration should keep your PHP scripts working, it might be a
  good idea to check your apache2 site-wide configuration as well as
  any specific PHP configuration for websites running on your system.
 
+ The new (dummy) php5_cgi configuration uses the SetHandler directive,
+ which might interfere with existing custom configurations such as
+ FastCGI (mod_fcgid or mod_fastcgi).  If so, you can reenable the
+ existing functionality of your custom configuration by disabling the
+ php5_cgi module (a2dismod php5_cgi), but you are also advised to
+ check whether your custom configuration is vulnerable to foo.php.jpeg
+ attacks.  The php5_cgi configuration snippet can be used as a base -
+ it's important to use the FilesMatch or Files directive to limit the
+ handling to the last extension.
+
  As far as we know definitions from the mime-support packages are not
  used in any other webserver included in Debian, but it might affect
  any application which relies on system MIME types to interpret PHP
diff -u php5-5.4.4/debian/control php5-5.4.4/debian/control
--- php5-5.4.4/debian/control
+++ php5-5.4.4/debian/control
@@ -105,7 +105,8 @@
 	phpreports (<= 0.4.9-2),
 	php-kolab-filter (<= 0.1.9-4),
 	horde3 (<= 3.3.12+debian0-1),
-	moodle (<= 1.9.9.dfsg2-4)
+	moodle (<= 1.9.9.dfsg2-4),
+	php5-suhosin
 Description: Common files for packages built from the php5 source
  This package contains the documentation and example files relevant to all
  the other packages built from the php5 source.
diff -u php5-5.4.4/debian/changelog php5-5.4.4/debian/changelog
--- php5-5.4.4/debian/changelog
+++ php5-5.4.4/debian/changelog
@@ -1,3 +1,26 @@
+php5 (5.4.4-9) unstable; urgency=low
+
+  * Add logrotate script for php5-fpm (Closes: #683415)
+  * Add more warning text about new php5_cgi apache2 module (Closes: #687307)
+  * Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4
+
+ -- Ondřej Surý <ondrej@debian.org>  Fri, 26 Oct 2012 14:32:02 +0200
+
+php5 (5.4.4-8) unstable; urgency=low
+
+  * Remove IfModule to always interpret PHP if the module is enabled
+    (Closes: #690413)
+  * Fix extended DES crypt() when salt != 9 (Closes: #687031)
+  * Fix libphp5-embed linking (Closes: #690173):
+    + Expose all installed (and not built time) SAPIs via php-config
+      --php-sapis
+    + Add /usr/lib/php5 to php-config --ldflags output to allow linking
+      with libphp5.so
+    + Remove useless libtool file in libphp5-embed
+  * Add new lintian-overrides for libphp5-embed
+
+ -- Ondřej Surý <ondrej@debian.org>  Thu, 25 Oct 2012 13:23:08 +0200
+
 php5 (5.4.4-7) unstable; urgency=low
 
   * Add explanatory text about MultiViews negotiation support to
diff -u php5-5.4.4/debian/libapache2-mod-php5.conf php5-5.4.4/debian/libapache2-mod-php5.conf
--- php5-5.4.4/debian/libapache2-mod-php5.conf
+++ php5-5.4.4/debian/libapache2-mod-php5.conf
@@ -1,29 +1,27 @@
-<IfModule mod_php5.c>
-    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
-        SetHandler application/x-httpd-php
-    </FilesMatch>
-    <FilesMatch ".+\.phps$">
-        SetHandler application/x-httpd-php-source
-        # Deny access to raw php sources by default
-        # To re-enable it's recommended to enable access to the files
-        # only in specific virtual host or directory
-        Order Deny,Allow
-        Deny from all
-    </FilesMatch>
-    # Deny access to files without filename (e.g. '.php')
-    <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
-        Order Deny,Allow
-        Deny from all
-    </FilesMatch>
+<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+<FilesMatch ".+\.phps$">
+    SetHandler application/x-httpd-php-source
+    # Deny access to raw php sources by default
+    # To re-enable it's recommended to enable access to the files
+    # only in specific virtual host or directory
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
 
-    # Running PHP scripts in user directories is disabled by default
-    # 
-    # To re-enable PHP in user directories comment the following lines
-    # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
-    # prevents .htaccess files from disabling it.
-    <IfModule mod_userdir.c>
-        <Directory /home/*/public_html>
-            php_admin_value engine Off
-        </Directory>
-    </IfModule>
+# Running PHP scripts in user directories is disabled by default
+# 
+# To re-enable PHP in user directories comment the following lines
+# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
+# prevents .htaccess files from disabling it.
+<IfModule mod_userdir.c>
+    <Directory /home/*/public_html>
+        php_admin_value engine Off
+    </Directory>
 </IfModule>
reverted:
--- php5-5.4.4/debian/patches/use_system_crypt_fixes.patch
+++ php5-5.4.4.orig/debian/patches/use_system_crypt_fixes.patch
@@ -1,11 +0,0 @@
---- a/ext/standard/tests/strings/bug51059.phpt
-+++ b/ext/standard/tests/strings/bug51059.phpt
-@@ -3,7 +3,7 @@ Bug #51059 crypt() segfaults on certain
- --FILE--
- <?php
- $res = crypt(b'a', b'_');
--if ($res === b'*0' || $res === b'*1') echo 'OK';
-+if ($res === b'__DAZ.Z4ErJDo') echo 'OK';
- else echo 'Not OK';
- 
- ?>
diff -u php5-5.4.4/debian/patches/series php5-5.4.4/debian/patches/series
--- php5-5.4.4/debian/patches/series
+++ php5-5.4.4/debian/patches/series
@@ -38,7 +38,6 @@
 use_embedded_timezonedb_fixes.patch
 fix_broken_sha2_test.patch
 php_crypt_revamped.patch
-use_system_crypt_fixes.patch
 session_save_path.patch
 #install-programs_parallel_FTBFS.patch
 php-fpm-man-section-and-cleanup.patch
@@ -77,0 +77 @@
+expose_all_built_and_installed_apis.patch
diff -u php5-5.4.4/debian/patches/php_crypt_revamped.patch php5-5.4.4/debian/patches/php_crypt_revamped.patch
--- php5-5.4.4/debian/patches/php_crypt_revamped.patch
+++ php5-5.4.4/debian/patches/php_crypt_revamped.patch
@@ -289,7 +289,7 @@
  
  static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  
-@@ -150,160 +143,158 @@ static void php_to64(char *s, long v, in
+@@ -150,160 +143,157 @@ static void php_to64(char *s, long v, in
  PHP_FUNCTION(crypt)
  {
  	char salt[PHP_MAX_SALT_LEN + 1];
@@ -490,8 +490,7 @@
 -
 -			memset(output, 0, PHP_MAX_SALT_LEN + 1);
 +#endif
-+		} else if (salt[0]=='_' && 
-+				   salt_len == 9) {
++		} else if (salt[0]=='_') {
 +			/* CRYPT_EXT_DES */
 +#if PHP_EXT_DES_CRYPT
 +# error Using system extended DES crypt function, should not happen on Debian system
diff -u php5-5.4.4/debian/patches/006-debian_quirks.patch php5-5.4.4/debian/patches/006-debian_quirks.patch
--- php5-5.4.4/debian/patches/006-debian_quirks.patch
+++ php5-5.4.4/debian/patches/006-debian_quirks.patch
@@ -194,17 +194,19 @@
  	scripts/phpize.m4 \
 --- a/scripts/php-config.in
 +++ b/scripts/php-config.in
-@@ -6,8 +6,8 @@ datarootdir="@datarootdir@"
+@@ -6,9 +6,9 @@ datarootdir="@datarootdir@"
  exec_prefix="@exec_prefix@"
  version="@PHP_VERSION@"
  vernum="@PHP_VERSION_ID@"
 -include_dir="@includedir@/php"
 -includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib"
+-ldflags="@PHP_LDFLAGS@"
 +include_dir="@includedir@/php5"
 +includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib $(getconf LFS_CFLAGS)"
- ldflags="@PHP_LDFLAGS@"
++ldflags="-L$prefix/lib/php5 @PHP_LDFLAGS@"
  libs="@EXTRA_LIBS@"
  extension_dir='@EXTENSION_DIR@'
+ man_dir=`eval echo @mandir@`
 --- a/scripts/phpize.in
 +++ b/scripts/phpize.in
 @@ -4,8 +4,8 @@
only in patch2:
unchanged:
--- php5-5.4.4.orig/debian/patches/expose_all_built_and_installed_apis.patch
+++ php5-5.4.4/debian/patches/expose_all_built_and_installed_apis.patch
@@ -0,0 +1,27 @@
+--- a/scripts/man1/php-config.1.in
++++ b/scripts/man1/php-config.1.in
+@@ -44,7 +44,7 @@ Full path to php CLI or CGI binary
+ .TP
+ .PD 0
+ .B \-\-php-sapis
+-Show all SAPI modules available
++Show all SAPI modules installed on the Debian system
+ .TP
+ .PD 0
+ .B \-\-configure-options
+--- a/scripts/php-config.in
++++ b/scripts/php-config.in
+@@ -18,9 +18,12 @@ exe_extension="@EXEEXT@"
+ php_cli_binary=NONE
+ php_cgi_binary=NONE
+ configure_options="@CONFIGURE_OPTIONS@"
+-php_sapis="@PHP_INSTALLED_SAPIS@"
++#php_sapis="@PHP_INSTALLED_SAPIS@"
+ phpapi="@DEBIAN_PHP_API@"
+ 
++# Query the dpkg database for available PHP5 sapis
++php_sapis=$(dpkg-query -W -f='${binary:Package} ' libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed 2>/dev/null | sed -e 's|libapache2-mod-php5|apache2handler|;s|libapache2-mod-php5filter|apache2filter|;s|php5-cgi|cgi|;s|php5-cli|cli|;s|php5-fpm|fpm|;s|libphp5-embed|embed|;')
++
+ # Set php_cli_binary and php_cgi_binary if available
+ for sapi in $php_sapis; do
+   case $sapi in

--- End Message ---
--- Begin Message --- 
On Thu, 2012-11-01 at 21:22 +0100, Ondřej Surý wrote:
> On Thu, Nov 1, 2012 at 9:05 PM, Adam D. Barratt
> <adam@adam-barratt.org.uk> wrote:
> > Apologies if I missed it, but why was use_system_crypt_fixes.patch
> > disabled?
> 
> You're right, it misses the explanation.
> 
> Because the test which was patched in use_system_crypt_fixes.patch
> is correct again after extended DES was fixed.  The crypt() should fail
> when the salt starts with '_', but doesn't contain correct salt.

Thanks for the explanation; unblocked.

Regards,

Adam

--- End Message ---
Reply to: