Hi Adam and release team,
sorry to bother you again with PHP :), but the inevitable has happened
and PHP 5.6.17+dfsg has been released with 4 security vulnerabilities.
Salvatore has asked me again if we could push this through SRU, since
you already approved 5.6.16+dfsg.
Here's the list of security vulnerabilities fixed in 5.6.17 (and also
waiting for update for 5.5.45 in wheezy):
+ Use After Free Vulnerability in WDDX Packet Deserialization
+ Session WDDX Packet Deserialization Type Confusion Vulnerability
+ fpm_log.c memory leak and buffer overflow
+ Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
And here's the copy of the email I sent to security team and minified
attachments (hopefully this can get through this time):
On Tue, Jan 12, 2016, at 09:33, Ondřej Surý wrote:
> Hi Salvatore and the security team,
>
> [the underlying question is whether we can make this into point release,
> or I should speedy upload at least 5.6.16+dfsg via p-u (already
> approved)]
>
> 5.6.16-0+deb8u1 has been accepted to p-u by release team, so this update
> only address update from 5.6.16+dfsg to 5.6.17+dfsg and mostly the four
> security bugs I sent earlier in 5.4.45 update.
>
> New FAILED tests:
>
> +Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out
> of Bounds) [ext/gd/tests/bug70976.phpt]
>
> Looks ok to me, only an additional warning in the output, otherwise test
> runs as expected.
>
> +Bug #70741 (Session WDDX Packet Deserialization Type Confusion
> Vulnerability) [ext/wddx/tests/bug70741.phpt]
>
> Looks ok, we don't have writeable /var/lib/php5/sessions/ directory, so
> it shows additional warnings, but the result of the test is ok.
>
> Otherwise no differences between 5.6.16 and 5.6.17 tests.
>
> Changes:
> php5 (5.6.17+dfsg-0+deb8u1) jessie-security; urgency=high
> .
> * Imported Upstream version 5.6.17+dfsg
> - Core:
> . Fixed bug #66909 (configure fails utf8_to_mutf7 test).
> . Fixed bug #70958 (Invalid opcode while using ::class as trait
> method
> parameter default value).
> . Fixed bug #70957 (self::class can not be resolved with reflection
> for abstract class).
> . Fixed bug #70944 (try{ } finally{} can create infinite chains of
> exceptions).
> . Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol:
> php_register_internal_extensions).
> - FPM:
> . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
> - GD:
> . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array
> Index Out of Bounds).
> - Mysqlnd:
> . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir
> restriction).
> - SOAP:
> . Fixed bug #70900 (SoapClient systematic out of memory error).
> - Standard:
> . Fixed bug #70960 (ReflectionFunction for array_unique returns
> wrong
> number of parameters).
> - PDO_Firebird:
> . Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
> - WDDX:
> . Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet
> Deserialization).
> . Fixed bug #70741 (Session WDDX Packet Deserialization Type
> Confusion
> Vulnerability).
> - XMLRPC:
> . Fixed bug #70728 (Type Confusion Vulnerability in
> PHP_to_XMLRPC_worker()).
> * Rebase patches on top of 5.6.17+dfsg release
> * Make phar command versioned and use update-alternatives for 'phar'
> name to allow coinstallation with src:php7.0 packages
>
> debdiff:
>
> $ xzcat php5_5.6.17+dfsg-0+deb8u1.debdiff.xz | diffstat
> NEWS | 48 +++++-
> Zend/tests/bug70944.phpt | 37 ++++
> Zend/tests/bug70957.phpt | 22 ++
> Zend/tests/bug70958.phpt | 21 ++
> Zend/zend_compile.c | 12 +
> Zend/zend_exceptions.c | 12 +
> configure | 65 ++++----
> configure.in | 2
> debian/changelog | 42 +++++
> debian/patches/0001-libtool_fixes.patch | 2
> debian/patches/0003-debian_quirks.patch | 2
> debian/patches/0008-extension_api.patch | 2
> debian/patches/0013-php-5.4.7-libdb.patch | 14 +
> debian/patches/0027-hurd-noptrace.patch | 2
> debian/patches/0028-php-5.3.9-mysqlnd.patch | 4
> debian/patches/0029-php-5.3.9-gnusrc.patch | 2
> debian/patches/0042-php-5.4.9-fixheader.patch | 2
> debian/php5-cli.postinst.extra | 9 -
> debian/php5-cli.prerm.extra | 1
> debian/rules | 4
> ext/dba/config.m4 | 6
> ext/gd/gd_compat.c | 4
> ext/gd/libgd/gd_interpolation.c | 2
> ext/gd/tests/bug70976.phpt | 13 +
> ext/imap/config.m4 | 15 +
> ext/ldap/ldap.c | 14 +
> ext/ldap/tests/ldap_connect_variation.phpt | 5
> ext/mysql/php_mysql.c | 2
> ext/mysqli/mysqli_api.c | 2
> ext/mysqli/mysqli_nonapi.c | 2
> ext/mysqli/tests/bug68077.phpt | 80 ++++++++++
> ext/mysqli/tests/mysqli_options_openbasedir.phpt | 18 +-
> ext/mysqlnd/mysqlnd.c | 4
> ext/mysqlnd/mysqlnd_net.c | 4
> ext/pdo_firebird/firebird_statement.c | 2
> ext/pdo_mysql/mysql_driver.c | 2
> ext/reflection/tests/ReflectionMethod_defaultArg.phpt | 44 +++++
> ext/reflection/tests/bug70960.phpt | 10 +
> ext/session/tests/session_decode_error2.phpt | 4
> ext/soap/php_sdl.c | 4
> ext/standard/basic_functions.c | 3
> ext/wddx/tests/bug70661.phpt | 69 ++++++++
> ext/wddx/tests/bug70741.phpt | 26 +++
> ext/wddx/wddx.c | 141
> +++++++++---------
> ext/xmlrpc/tests/bug70728.phpt | 30 +++
> ext/xmlrpc/xmlrpc-epi-php.c | 13 +
> main/php_version.h | 6
> sapi/cgi/config9.m4 | 4
> sapi/cli/config.m4 | 4
> sapi/cli/tests/bug70470.phpt | 4
> sapi/fpm/config.m4 | 2
> sapi/fpm/fpm/fpm_log.c | 5
> sapi/litespeed/lsapi_main.c | 6
> sapi/litespeed/lsapilib.c | 69 +++++++-
> 54 files changed, 757 insertions(+), 167 deletions(-)
>
>
> Cheers,
> Ondrej
On Tue, Jan 5, 2016, at 23:50, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Tue, 2016-01-05 at 13:16 +0100, Ondřej Surý wrote:
> > Hi release team and happy new year to you all,
>
> and to you.
>
> > the PHP updates through security team are going without any serious
> > troubles, so this is not a p-u for new upstream version, but I would
> > like to include attached patch in the next round of updates.
> >
> > The patch is only piece missing that prevents coinstallability of
> > src:php5 and src:php7.0, and I think it's quite simple. It only
> > renames /usr/bin/phar (and accompanying man page) to phar5 and uses
> > update-alternatives to create symlink with priority 50 back to phar
> > command.
> >
> > The same mechanism is already used in src:php7.0 (with priority 70).
> >
> > This would allow people upgrading from jessie to stretch to keep
> > existing src:php5 packages for the time of migration to PHP 7.0.
>
> Sounds okay to me.
>
> Regards,
>
> Adam
>
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Attachment:
failed-test-results_5.6.16+dfsg-0+deb8u1.txt.xz
Description: Binary data
Attachment:
failed-test-results_5.6.17+dfsg-0+deb8u1.txt.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.debdiff.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1_amd64.changes
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.debian.tar.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.dsc
Description: Binary data
Attachment:
failed-test-results_5.6.17+dfsg-0+deb8u1.diff.xz
Description: Binary data