Skip to content

Commit

Permalink
Pullup ticket #6866 - requested by taca
Browse files Browse the repository at this point in the history 
lang/php83: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.434
- lang/php83/Makefile                                           1.3
- lang/php83/distinfo                                           1.8
- lang/php83/patches/patch-build_php.m4                         1.1
- lang/php83/patches/patch-configure                            deleted
- lang/php83/patches/patch-sapi_apache2handler_config.m4        1.1

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jun  7 13:57:24 UTC 2024

   Modified Files:
   	pkgsrc/lang/php: phpversion.mk
   	pkgsrc/lang/php83: Makefile distinfo
   Added Files:
   	pkgsrc/lang/php83/patches: patch-build_php.m4
   	    patch-sapi_apache2handler_config.m4
   Removed Files:
   	pkgsrc/lang/php83/patches: patch-configure

   Log Message:
   lang/php83: update to 8.3.8

   pkgsrc change:

   Instead of patch configure, patch m4 files and use autoconf to generate
   configure.

   PHP 8.3.8 (2024-06-06)

   - CGI:
     . Fixed buffer limit on Windows, replacing read call usage by _read.
       (David Carlier)
     . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
       in PHP-CGI). (CVE-2024-4577) (nielsdos)

   - CLI:
     . Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles
       quoted heredoc literals.). (nielsdos)

   - Core:
     . Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for
       non-compile-time expressions). (ilutov)

   - DOM:
     . Fix crashes when entity declaration is removed while still having entity
       references. (nielsdos)
     . Fix references not handled correctly in C14N. (nielsdos)
     . Fix crash when calling childNodes next() when iterator is exhausted.
       (nielsdos)
     . Fix crash in ParentNode::append() when dealing with a fragment
       containing text nodes. (nielsdos)

   - Filter:
     . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
       (CVE-2024-5458) (nielsdos)

   - FPM:
     . Fix bug GH-14175 (Show decimal number instead of scientific notation in
       systemd status). (Benjamin Cremer)

   - Hash:
     . ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__`
       (Saki Takamachi)

   - Intl:
     . Fixed build regression on systems without C++17 compilers. (Calvin Buckley,
       Peter Kokot)

   - MySQLnd:
     . Fix bug GH-14255 (mysqli_fetch_assoc reports error from
       nested query). (Kamil Tekiela)

   - Opcache:
     . Fixed bug GH-14109 (Fix accidental persisting of internal class constant in
       shm). (ilutov)

   - OpenSSL:
     . The openssl_private_decrypt function in PHP, when using PKCS1 padding
       (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
       unless it is used with an OpenSSL version that includes the changes from this pull
       request: openssl/openssl#13817 (rsa_pkcs1_implicit_rejection).
       These changes are part of OpenSSL 3.2 and have also been backported to stable
       versions of various Linux distributions, as well as to the PHP builds provided for
       Windows since the previous release. All distributors and builders should ensure that
       this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)

   - Standard:
     . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
       (CVE-2024-5585) (nielsdos)

   - XML:
     . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
       memory limit). (nielsdos)

   - XMLReader:
     . Fixed bug GH-14183 (XMLReader::open() can't be overridden). (nielsdos)

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jun  7 23:11:41 UTC 2024

   Modified Files:
   	pkgsrc/lang/php81: Makefile Makefile.php
   	pkgsrc/lang/php82: Makefile Makefile.php
   	pkgsrc/lang/php83: Makefile Makefile.php
   	pkgsrc/www/ap-php: Makefile
   	pkgsrc/www/php-fpm: Makefile

   Log Message:
   Fix build problem of www/ap-php and www/php-fpm.

   Switch these packages to use autoconf, too.
  • Loading branch information
@bsiegert
bsiegert committed Jun 13, 2024
1 parent fcf6a4d commit dd1b5cc
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 69 deletions.
4 changes: 2 additions & 2 deletions lang/php/phpversion.mk
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# $NetBSD: phpversion.mk,v 1.426.2.5 2024/06/13 13:47:09 bsiegert Exp $
# $NetBSD: phpversion.mk,v 1.426.2.6 2024/06/13 14:34:05 bsiegert Exp $
#
# This file selects a PHP version, based on the user's preferences and
# the installed packages. It does not add a dependency on the PHP
Expand Down Expand Up @@ -93,7 +93,7 @@ PHP74_VERSION= 7.4.33
PHP80_VERSION= 8.0.30
PHP81_VERSION= 8.1.28
PHP82_VERSION= 8.2.18
PHP83_VERSION= 8.3.7
PHP83_VERSION= 8.3.8

# Define API version or initial release of major version.
PHP56_RELDATE= 20140828
Expand Down
9 changes: 6 additions & 3 deletions lang/php83/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.1 2023/11/30 16:14:50 taca Exp $
# $NetBSD: Makefile,v 1.1.4.1 2024/06/13 14:34:05 bsiegert Exp $

#
# We can't omit PKGNAME here to handle PKG_OPTIONS.
Expand All @@ -10,7 +10,7 @@ LICENSE= php

TEST_TARGET= test

USE_TOOLS+= gmake lex
USE_TOOLS+= autoconf gmake lex
LIBTOOL_OVERRIDE= # empty
PHP_CHECK_INSTALLED= No

Expand Down Expand Up @@ -45,7 +45,7 @@ REPLACE_PHP= ext/phar/phar/phar.php run-tests.php
SUBST_CLASSES+= path
SUBST_MESSAGE.path= Fixing common paths.
SUBST_STAGE.path= pre-configure
SUBST_FILES.path= configure
SUBST_FILES.path= build/php.m4
SUBST_FILES.path+= php.ini-development php.ini-production
SUBST_FILES.path+= sapi/cgi/Makefile.frag
SUBST_VARS.path= CGIDIR
Expand All @@ -65,6 +65,9 @@ INSTALL_UNSTRIPPED= yes
CFLAGS+= -DSQLITE_ENABLE_LOCKING_STYLE=0 -DSQLITE_WITHOUT_ZONEMALLOC
.endif

pre-configure:
cd ${WRKSRC} && autoconf -f

post-install:
cd ${WRKSRC}; ${INSTALL_DATA} php.ini-development php.ini-production \
${DESTDIR}${EGDIR}
Expand Down
11 changes: 6 additions & 5 deletions lang/php83/distinfo
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
$NetBSD: distinfo,v 1.5.2.2 2024/06/13 13:47:10 bsiegert Exp $
$NetBSD: distinfo,v 1.5.2.3 2024/06/13 14:34:05 bsiegert Exp $

BLAKE2s (php-8.3.7.tar.xz) = 009b796292f0f05c1a21a6f0f40886e1ec5c6a01f4cbae0c7de34a4fc5c9db96
SHA512 (php-8.3.7.tar.xz) = ff2c16a5cc08b1a59a61eee9df75c4c9a6dda7054d48198b75d104c194e934109fed3665005ba798eeca3d7294d7dc81df3a14e63a527baf9f196e229068d9a3
Size (php-8.3.7.tar.xz) = 12456020 bytes
SHA1 (patch-configure) = 3d7106a039a3bffaf9f439c8fed77048f1072749
BLAKE2s (php-8.3.8.tar.xz) = ba672f712e3d735c0320f301bf5f3a09bbf3440e09abd44813a57ed001a0db57
SHA512 (php-8.3.8.tar.xz) = 1a2840f0b5dcbea6dfcc3894cb9e38d103bf4110c1b956438199deee0b60e5ae63cce34be25ca6f03ac8d26581a852657f8800f92fefe38345e20443b646bb3e
Size (php-8.3.8.tar.xz) = 12480896 bytes
SHA1 (patch-build_php.m4) = c85864ae22556c0a5f14b323d2cf031523625e9b
SHA1 (patch-ext_enchant_enchant.c) = 7d999de1b2fde2ea11e4a6e16e7b59c085924b9b
SHA1 (patch-ext_phar_Makefile.frag) = 53ea5c58b0bc27d236118d5750a74b1cba43e5dd
SHA1 (patch-ext_standard_php__fopen__wrapper.c) = 0a2c19c18f089448a8d842e99738b292ab9e5640
Expand All @@ -12,6 +12,7 @@ SHA1 (patch-ext_xsl_php__xsl.h) = cf930c5d6d9dab29b12558d265c67d3534a006fd
SHA1 (patch-main_streams_streams.c) = d699ce7d3a300ffb39494b3f1fa5e0958f714483
SHA1 (patch-php.ini-development) = 373d76cc7a022b578f1d5e296d1f0ac88bc26b72
SHA1 (patch-php.ini-production) = 5ab7fa6bf8403907160b0a62b56c1ee527f8eda6
SHA1 (patch-sapi_apache2handler_config.m4) = c5650a7d07a8213038fe2e2a6a1ce345d325df82
SHA1 (patch-sapi_cgi_Makefile.frag) = f4cd64d334884c49787d8854115c8cd69cc79bb8
SHA1 (patch-sapi_cli_Makefile.frag) = 1cd29d09042863acbf5330e406410fdcf75d06b3
SHA1 (patch-sapi_fpm_php-fpm.conf.in) = acf9b4e70d4c5ea2b96e37e7bbf9005379ecc4d0
17 changes: 17 additions & 0 deletions lang/php83/patches/patch-build_php.m4
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
$NetBSD: patch-build_php.m4,v 1.1.2.2 2024/06/13 14:34:05 bsiegert Exp $

Do not include "PKG_CONFIG*" in CONFIGURE_OPTIONS.

--- build/php.m4.orig 2024-06-04 14:53:17.000000000 +0000
+++ build/php.m4
@@ -2151,6 +2151,10 @@ EOF
else
break
fi
+ case "$CURRENT_ARG" in
+ \'PKG_CONFIG\=*) CURRENT_ARG="'PKG_CONFIG=@TOOLS_PATH.pkg-config@'";;
+ \'PKG_CONFIG_LIBDIR\=*) CURRENT_ARG="'PKG_CONFIG_LIBDIR=@PHP_PKGCONFIG_PATH@'";;
+ esac
AS_ECHO(["$CURRENT_ARG \\"]) >>$1
CONFIGURE_OPTIONS="$CONFIGURE_OPTIONS $CURRENT_ARG"
done
59 changes: 0 additions & 59 deletions lang/php83/patches/patch-configure
View file

This file was deleted.

25 changes: 25 additions & 0 deletions lang/php83/patches/patch-sapi_apache2handler_config.m4
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
$NetBSD: patch-sapi_apache2handler_config.m4,v 1.1.2.2 2024/06/13 14:34:05 bsiegert Exp $

Don't autodetect maintainer-zts.

--- sapi/apache2handler/config.m4.orig 2024-06-04 14:53:17.000000000 +0000
+++ sapi/apache2handler/config.m4
@@ -108,18 +108,6 @@ if test "$PHP_APXS2" != "no"; then
;;
esac

- if test "$APACHE_VERSION" -lt 2004001; then
- APXS_MPM=`$APXS -q MPM_NAME`
- if test "$APXS_MPM" != "prefork" && test "$APXS_MPM" != "peruser" && test "$APXS_MPM" != "itk"; then
- PHP_BUILD_THREAD_SAFE
- fi
- else
- APACHE_THREADED_MPM=`$APXS_HTTPD -V 2>/dev/null | grep 'threaded:.*yes'`
- if test -n "$APACHE_THREADED_MPM"; then
- PHP_BUILD_THREAD_SAFE
- fi
- fi
- AC_MSG_RESULT(yes)
PHP_SUBST(APXS)
else
AC_MSG_RESULT(no)

0 comments on commit dd1b5cc

Please sign in to comment.