Re: Status of php-mbstring vs. libonig

To: debian-security@lists.debian.org
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Status of php-mbstring vs. libonig
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 25 Nov 2019 11:50:00 +0100
Message-id: <[🔎] 2eaea510-4d9c-6950-8d59-475f83a4f529@beuc.net>
In-reply-to: <[🔎] b2671e5b-9ad8-e174-6489-fe4d2a6b8736@beuc.net>
References: <[🔎] b2671e5b-9ad8-e174-6489-fe4d2a6b8736@beuc.net>

Hi,

On 22/11/2019 21:23, Sylvain Beucler wrote:
> I see in 'embedded-code-copies':
> 
>   libonig
>       - php5 5.3.2-1 (embed)
> 
> (i.e. from 2010)
> 
> Jessie seems to properly link to libonig (dependency of e.g.
> libapache2-mod-php5).
> 
> Stretch and Buster however (probably since the new phpX.X-mbstring
> package) do not link libonig anymore, despite build-depending on it, so
> I assume the library is either statically linked, or PHP's embedded copy
> is used.
> 
> There are various vulnerabilities affected libonig at the moment, some
> properly reported against libonig, some against PHP (e.g.
> https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
> 
> Do you know what the current situation is supposed to be?

Ping?

AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.

Should I file a bug against php7.0&php7.3 to clarify?

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Status of php-mbstring vs. libonig
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Status of php-mbstring vs. libonig
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Status of php-mbstring vs. libonig
Next by Date: Re: debcheckroot v2.0 released
Previous by thread: Status of php-mbstring vs. libonig
Next by thread: Re: Status of php-mbstring vs. libonig
Index(es):
- Date
- Thread