Ubuntu
php8.1 package

Merge ~athos-ribeiro/ubuntu/+source/php8.1:fix-ss3-eof-jammy into ubuntu/+source/php8.1:ubuntu/jammy-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/php8.1
  3. fix-ss3-eof-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Athos Ribeiro
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 66a577aa750c8e0e100f076b8ab0738bad3a1a5d
Proposed branch: ~athos-ribeiro/ubuntu/+source/php8.1:fix-ss3-eof-jammy
Merge into: ubuntu/+source/php8.1:ubuntu/jammy-devel
Diff against target: 113 lines (+88/-0)
3 files modified
debian/changelog (+11/-0)
debian/patches/0046-Fix-ssl3-unexpected-eof.patch (+76/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+426844@code.launchpad.net

Description of the change

Jammy SRU proposal for LP: #1975626.

This should be a straightforward upstream patch as described in the SRU bug.

PPA: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp1975626-php-ssl3-eof/+packages

I will update this MP with the autopkgtest results as soon as I get them.

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Change itself LGTM, and assuming the tests results are good, +1. A couple text suggestions:

For the changelog entry, I think it would be beneficial to add a sentence or so of extra explanation to help users understand if their system is affected. Sounds like they would see an error message like 'SSL routines::unexpected eof...' so might be worth mentioning that. Can we also specify what version introduced the security fix that caused the regression?

For the SRU text, one typo in the Impact section: 'non complaint' -> 'non-compliant'. Rest of the text looks solid.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: athos-ribeiro, bryce
Uploaders: athos-ribeiro, bryce
MP auto-approved

review: Approve
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks for the review, Bryce. I fixed the SRU text. I will fix the changelog entry with your suggestions and upload it.

Local dep8 test result summary:

autopkgtest [17:44:36]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
cgi PASS
mod-php PASS
fpm PASS

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Updated changelog and SRU text and uploaded the package.

$ dput ubuntu ../php8.1_8.1.2-1ubuntu2.2_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../php8.1_8.1.2-1ubuntu2.2_source.changes: Valid signature from 033C4CA276024834
Checking signature on .dsc
gpg: ../php8.1_8.1.2-1ubuntu2.2.dsc: Valid signature from 033C4CA276024834
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading php8.1_8.1.2-1ubuntu2.2.dsc: done.
  Uploading php8.1_8.1.2-1ubuntu2.2.debian.tar.xz: done.
  Uploading php8.1_8.1.2-1ubuntu2.2_source.buildinfo: done.
  Uploading php8.1_8.1.2-1ubuntu2.2_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

There was a security change in php8.1 during the SRU process for this one. I re-based it on top of the new security changes and re-uploaded, as requested by Steve.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 062da46..7635e9e 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+php8.1 (8.1.2-1ubuntu2.3) jammy; urgency=medium
7+
8+ * d/p/0046-Fix-ssl3-unexpected-eof.patch: fix OpenSSL3 related unexpected
9+ EOF failure. This patch was originally introduced in PHP 8.1.7 to maintain
10+ compatibility with servers that are not yet compatible with new OpenSSL 3
11+ changes. This lack of compatibility would result in errors like
12+ "error:0A000126:SSL routines::unexpected eof while reading in LOCATION".
13+ (LP: #1975626)
14+
15+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 15 Aug 2022 09:24:10 -0300
16+
17 php8.1 (8.1.2-1ubuntu2.2) jammy-security; urgency=medium
18
19 * SECURITY UPDATE: Memory corruption in libmagic
20diff --git a/debian/patches/0046-Fix-ssl3-unexpected-eof.patch b/debian/patches/0046-Fix-ssl3-unexpected-eof.patch
21new file mode 100644
22index 0000000..9e1d08b
23--- /dev/null
24+++ b/debian/patches/0046-Fix-ssl3-unexpected-eof.patch
25@@ -0,0 +1,76 @@
26+From 74f75db0c3665677ec006cd379fd561feacffdc6 Mon Sep 17 00:00:00 2001
27+From: Jakub Zelenka <bukka@php.net>
28+Date: Sun, 15 May 2022 13:49:17 +0100
29+Subject: Fix bug #79589: ssl3_read_n:unexpected eof while reading
30+
31+The unexpected EOF failure was introduced in OpenSSL 3.0 to prevent
32+truncation attack. However there are many non complaint servers and
33+it is causing break for many users including potential majority
34+of those where the truncation attack is not applicable. For that reason
35+we try to keep behavior consitent with older OpenSSL versions which is
36+also the path chosen by some other languages and web servers.
37+
38+Closes GH-8369
39+
40+Bug: https://github.com/php/php-src/issues/8369
41+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/1975626
42+Last-Update: 2022-06-11
43+Origin: upstream, https://github.com/php/php-src/commit/74f75db0c3665677ec006cd379fd561feacffdc6
44+---
45+ NEWS | 4 ++++
46+ ext/openssl/tests/bug79589.phpt | 21 +++++++++++++++++++++
47+ ext/openssl/xp_ssl.c | 5 +++++
48+ 3 files changed, 30 insertions(+)
49+ create mode 100644 ext/openssl/tests/bug79589.phpt
50+
51+--- a/NEWS
52++++ b/NEWS
53+@@ -356,6 +356,10 @@
54+ . Added the Ristretto255 functions, which are available in libsodium 1.0.18.
55+ (P.I.E. Security Team)
56+
57++- OpenSSL:
58++ . Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof
59++ while reading). (Jakub Zelenka)
60++
61+ - SPL:
62+ . Fixed bug #66588 (SplFileObject::fgetcsv incorrectly returns a row on
63+ premature EOF). (Aliaksandr Bystry)
64+--- /dev/null
65++++ b/ext/openssl/tests/bug79589.phpt
66+@@ -0,0 +1,21 @@
67++--TEST--
68++Bug #65538: TLS unexpected EOF failure
69++--EXTENSIONS--
70++openssl
71++--SKIPIF--
72++<?php
73++if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
74++?>
75++--FILE--
76++<?php
77++
78++$release = file_get_contents(
79++ 'https://chromedriver.storage.googleapis.com/LATEST_RELEASE',
80++ false,
81++ stream_context_create(['ssl' => ['verify_peer'=> false]])
82++);
83++echo gettype($release);
84++
85++?>
86++--EXPECT--
87++string
88+--- a/ext/openssl/xp_ssl.c
89++++ b/ext/openssl/xp_ssl.c
90+@@ -1648,6 +1648,11 @@
91+
92+ ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
93+
94++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
95++ /* Only for OpenSSL 3+ to keep OpenSSL 1.1.1 behavior */
96++ ssl_ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
97++#endif
98++
99+ if (!GET_VER_OPT("disable_compression") || zend_is_true(val)) {
100+ ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
101+ }
102diff --git a/debian/patches/series b/debian/patches/series
103index 60751c0..e21b06b 100644
104--- a/debian/patches/series
105+++ b/debian/patches/series
106@@ -43,6 +43,7 @@
107 0043-Lower-the-OpenSSL-requirement-to-1.0.1.patch
108 0044-Fail-the-build-when-the-dtrace-call-fails.patch
109 0045-Override-result-of-AC_PROG_LN_S-to-fix-FTBFS-on-ppc6.patch
110+0046-Fix-ssl3-unexpected-eof.patch
111 CVE-2021-21708.patch
112 CVE-2022-31625.patch
113 CVE-2022-31626.patch

Subscribers

People subscribed via source and target branches