Hi Adam and release team, sorry to bother you again with PHP :), but the inevitable has happened and PHP 5.6.17+dfsg has been released with 4 security vulnerabilities. Salvatore has asked me again if we could push this through SRU, since you already approved 5.6.16+dfsg. Here's the list of security vulnerabilities fixed in 5.6.17 (and also waiting for update for 5.5.45 in wheezy): + Use After Free Vulnerability in WDDX Packet Deserialization + Session WDDX Packet Deserialization Type Confusion Vulnerability + fpm_log.c memory leak and buffer overflow + Type Confusion Vulnerability in PHP_to_XMLRPC_worker() And here's the copy of the email I sent to security team and minified attachments (hopefully this can get through this time): On Tue, Jan 12, 2016, at 09:33, Ondřej Surý wrote: > Hi Salvatore and the security team, > > [the underlying question is whether we can make this into point release, > or I should speedy upload at least 5.6.16+dfsg via p-u (already > approved)] > > 5.6.16-0+deb8u1 has been accepted to p-u by release team, so this update > only address update from 5.6.16+dfsg to 5.6.17+dfsg and mostly the four > security bugs I sent earlier in 5.4.45 update. > > New FAILED tests: > > +Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out > of Bounds) [ext/gd/tests/bug70976.phpt] > > Looks ok to me, only an additional warning in the output, otherwise test > runs as expected. > > +Bug #70741 (Session WDDX Packet Deserialization Type Confusion > Vulnerability) [ext/wddx/tests/bug70741.phpt] > > Looks ok, we don't have writeable /var/lib/php5/sessions/ directory, so > it shows additional warnings, but the result of the test is ok. > > Otherwise no differences between 5.6.16 and 5.6.17 tests. > > Changes: > php5 (5.6.17+dfsg-0+deb8u1) jessie-security; urgency=high > . > * Imported Upstream version 5.6.17+dfsg > - Core: > . Fixed bug #66909 (configure fails utf8_to_mutf7 test). > . Fixed bug #70958 (Invalid opcode while using ::class as trait > method > parameter default value). > . Fixed bug #70957 (self::class can not be resolved with reflection > for abstract class). > . Fixed bug #70944 (try{ } finally{} can create infinite chains of > exceptions). > . Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: > php_register_internal_extensions). > - FPM: > . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). > - GD: > . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array > Index Out of Bounds). > - Mysqlnd: > . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir > restriction). > - SOAP: > . Fixed bug #70900 (SoapClient systematic out of memory error). > - Standard: > . Fixed bug #70960 (ReflectionFunction for array_unique returns > wrong > number of parameters). > - PDO_Firebird: > . Fixed bug #60052 (Integer returned as a 64bit integer on X64_86). > - WDDX: > . Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet > Deserialization). > . Fixed bug #70741 (Session WDDX Packet Deserialization Type > Confusion > Vulnerability). > - XMLRPC: > . Fixed bug #70728 (Type Confusion Vulnerability in > PHP_to_XMLRPC_worker()). > * Rebase patches on top of 5.6.17+dfsg release > * Make phar command versioned and use update-alternatives for 'phar' > name to allow coinstallation with src:php7.0 packages > > debdiff: > > $ xzcat php5_5.6.17+dfsg-0+deb8u1.debdiff.xz | diffstat > NEWS | 48 +++++- > Zend/tests/bug70944.phpt | 37 ++++ > Zend/tests/bug70957.phpt | 22 ++ > Zend/tests/bug70958.phpt | 21 ++ > Zend/zend_compile.c | 12 + > Zend/zend_exceptions.c | 12 + > configure | 65 ++++---- > configure.in | 2 > debian/changelog | 42 +++++ > debian/patches/0001-libtool_fixes.patch | 2 > debian/patches/0003-debian_quirks.patch | 2 > debian/patches/0008-extension_api.patch | 2 > debian/patches/0013-php-5.4.7-libdb.patch | 14 + > debian/patches/0027-hurd-noptrace.patch | 2 > debian/patches/0028-php-5.3.9-mysqlnd.patch | 4 > debian/patches/0029-php-5.3.9-gnusrc.patch | 2 > debian/patches/0042-php-5.4.9-fixheader.patch | 2 > debian/php5-cli.postinst.extra | 9 - > debian/php5-cli.prerm.extra | 1 > debian/rules | 4 > ext/dba/config.m4 | 6 > ext/gd/gd_compat.c | 4 > ext/gd/libgd/gd_interpolation.c | 2 > ext/gd/tests/bug70976.phpt | 13 + > ext/imap/config.m4 | 15 + > ext/ldap/ldap.c | 14 + > ext/ldap/tests/ldap_connect_variation.phpt | 5 > ext/mysql/php_mysql.c | 2 > ext/mysqli/mysqli_api.c | 2 > ext/mysqli/mysqli_nonapi.c | 2 > ext/mysqli/tests/bug68077.phpt | 80 ++++++++++ > ext/mysqli/tests/mysqli_options_openbasedir.phpt | 18 +- > ext/mysqlnd/mysqlnd.c | 4 > ext/mysqlnd/mysqlnd_net.c | 4 > ext/pdo_firebird/firebird_statement.c | 2 > ext/pdo_mysql/mysql_driver.c | 2 > ext/reflection/tests/ReflectionMethod_defaultArg.phpt | 44 +++++ > ext/reflection/tests/bug70960.phpt | 10 + > ext/session/tests/session_decode_error2.phpt | 4 > ext/soap/php_sdl.c | 4 > ext/standard/basic_functions.c | 3 > ext/wddx/tests/bug70661.phpt | 69 ++++++++ > ext/wddx/tests/bug70741.phpt | 26 +++ > ext/wddx/wddx.c | 141 > +++++++++--------- > ext/xmlrpc/tests/bug70728.phpt | 30 +++ > ext/xmlrpc/xmlrpc-epi-php.c | 13 + > main/php_version.h | 6 > sapi/cgi/config9.m4 | 4 > sapi/cli/config.m4 | 4 > sapi/cli/tests/bug70470.phpt | 4 > sapi/fpm/config.m4 | 2 > sapi/fpm/fpm/fpm_log.c | 5 > sapi/litespeed/lsapi_main.c | 6 > sapi/litespeed/lsapilib.c | 69 +++++++- > 54 files changed, 757 insertions(+), 167 deletions(-) > > > Cheers, > Ondrej On Tue, Jan 5, 2016, at 23:50, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Tue, 2016-01-05 at 13:16 +0100, Ondřej Surý wrote: > > Hi release team and happy new year to you all, > > and to you. > > > the PHP updates through security team are going without any serious > > troubles, so this is not a p-u for new upstream version, but I would > > like to include attached patch in the next round of updates. > > > > The patch is only piece missing that prevents coinstallability of > > src:php5 and src:php7.0, and I think it's quite simple. It only > > renames /usr/bin/phar (and accompanying man page) to phar5 and uses > > update-alternatives to create symlink with priority 50 back to phar > > command. > > > > The same mechanism is already used in src:php7.0 (with priority 70). > > > > This would allow people upgrading from jessie to stretch to keep > > existing src:php5 packages for the time of migration to PHP 7.0. > > Sounds okay to me. > > Regards, > > Adam > -- Ondřej Surý <ondrej@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Attachment:
failed-test-results_5.6.16+dfsg-0+deb8u1.txt.xz
Description: Binary data
Attachment:
failed-test-results_5.6.17+dfsg-0+deb8u1.txt.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.debdiff.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1_amd64.changes
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.debian.tar.xz
Description: Binary data
Attachment:
php5_5.6.17+dfsg-0+deb8u1.dsc
Description: Binary data
Attachment:
failed-test-results_5.6.17+dfsg-0+deb8u1.diff.xz
Description: Binary data