Hi,
On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:
Hi,
On 22/11/2019 21:23, Sylvain Beucler wrote:
I see in 'embedded-code-copies':
libonig
- php5 5.3.2-1 (embed)
(i.e. from 2010)
Jessie seems to properly link to libonig (dependency of e.g.
libapache2-mod-php5).
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.
There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?
Ping?
AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.
Should I file a bug against php7.0&php7.3 to clarify?
This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in
debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?
[1]
https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089Regards,
Salvatore