Ubuntu
php8.1 package

Merge ~athos-ribeiro/ubuntu/+source/php8.1:lp1990302-tmp-stream-file-pos into ubuntu/+source/php8.1:ubuntu/jammy-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/php8.1
  3. lp1990302-tmp-stream-file-pos
  4. Merge into ubuntu/jammy-devel
Proposed by Athos Ribeiro
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Athos Ribeiro
Merged at revision: b934a1bb4de9584e97530ab5b971211afd1ed8ef
Proposed branch: ~athos-ribeiro/ubuntu/+source/php8.1:lp1990302-tmp-stream-file-pos
Merge into: ubuntu/+source/php8.1:ubuntu/jammy-devel
Diff against target: 101 lines (+76/-0)
3 files modified
debian/changelog (+11/-0)
debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch (+64/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+431855@code.launchpad.net

Description of the change

Jammy fix for LP: #1990302

PPA: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp1990302-tmp-stream-file-pos/+packages

Local autopkgtest run result summary:

autopkgtest [16:22:36]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
cgi PASS
mod-php PASS
fpm PASS
version PASS

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-athos-ribeiro-lp1990302-tmp-stream-file-pos/?format=plain)
  php8.1 @ amd64:
    20.10.22 23:34:14 Log πŸ—’οΈ βœ… Triggers: php8.1/8.1.2-1ubuntu2.7~ppa1
  php8.1 @ armhf:
    20.10.22 23:33:56 Log πŸ—’οΈ βœ… Triggers: php8.1/8.1.2-1ubuntu2.7~ppa1
  php8.1 @ ppc64el:
    20.10.22 23:37:20 Log πŸ—’οΈ βœ… Triggers: php8.1/8.1.2-1ubuntu2.7~ppa1
  php8.1 @ s390x:
    20.10.22 23:25:16 Log πŸ—’οΈ βœ… Triggers: php8.1/8.1.2-1ubuntu2.7~ppa1

In a jammy LXC container, verified the reproducer myself:

  $ sudo apt-get install php-common php-cli
  $ php reproduce.php
  string(16) "1111111111111111"
  int(1250)
  $ sudo add-apt-repository -yus ppa:athos-ribeiro/lp1990302-tmp-stream-file-pos
  $ sudo apt-get -y dist-upgrade
  $ php reproduce.php
  string(16) "2222222222222222"
  int(738)

I reviewed the patch's code, and verified it matches upstream.
Packaging changes look good.

The only thing I might mention, is that the changelog entry description is rather terse. The SRU [Impact] text is really informative though, and I wonder if some text could be borrowed from that. E.g.:

  * d/p/0049-Preserve-file-position-when-php-temp-switches.patch: PHP provides a
    temporary data stream, php://temp, whose contents are moved to a temporary file
    when a predefined size limit is hit. In jammy, the file position is set to the
    end of the file, which results in corrupted/unwanted data. Fix this by
    preserving the file position in this situation.
    (LP: #1990302)

Maybe a bit wordy but gives a better explanation of the change. This is just optional though; people can easily link over to the referenced bug to get the full explanation if they need.

review: Approve
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks, Bryce!

I applied the changelog suggestions and uploaded it!

$ dput ubuntu ../php8.1_8.1.2-1ubuntu2.7_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../php8.1_8.1.2-1ubuntu2.7_source.changes: Valid signature from 033C4CA276024834
Checking signature on .dsc
gpg: ../php8.1_8.1.2-1ubuntu2.7.dsc: Valid signature from 033C4CA276024834
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading php8.1_8.1.2-1ubuntu2.7.dsc: done.
  Uploading php8.1_8.1.2-1ubuntu2.7.debian.tar.xz: done.
  Uploading php8.1_8.1.2-1ubuntu2.7_source.buildinfo: done.
  Uploading php8.1_8.1.2-1ubuntu2.7_source.changes: done.
Successfully uploaded packages.

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: athos-ribeiro, bryce
Uploaders: athos-ribeiro, bryce
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 2c48cf6..99e7278 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+php8.1 (8.1.2-1ubuntu2.7) jammy; urgency=medium
7+
8+ * d/p/0049-Preserve-file-position-when-php-temp-switches.patch: PHP provides
9+ a temporary data stream, php://temp, whose contents are moved to a
10+ temporary file when a predefined size limit is hit. In jammy, the file
11+ position is set to the end of the file, which results in corrupted/unwanted
12+ data. Fix this by preserving the file position in this situation.
13+ (LP: #1990302)
14+
15+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Wed, 19 Oct 2022 11:58:09 -0300
16+
17 php8.1 (8.1.2-1ubuntu2.6) jammy; urgency=medium
18
19 * d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
20diff --git a/debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch b/debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch
21new file mode 100644
22index 0000000..ca19cb3
23--- /dev/null
24+++ b/debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch
25@@ -0,0 +1,64 @@
26+From 84c18f9f04cb9852d992194e613927154f765192 Mon Sep 17 00:00:00 2001
27+From: Bernd HolzmΓΌller <bernd@quarxconnect.de>
28+Date: Sat, 9 Apr 2022 17:49:47 +0200
29+Subject: [PATCH] Preserve file-position when php://temp switches to temporary file
30+
31+Closes GH-8333.
32+
33+Bug: https://github.com/php/php-src/pull/8333
34+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php8.1/+bug/1990302
35+Last-Update: 2022-10-19
36+Origin: backport, https://github.com/php/php-src/commit/84c18f9f04cb9852d992194e613927154f765192
37+---
38+ .../tests/streams/temp_stream_seek.phpt | 20 +++++++++++++++++++
39+ main/streams/memory.c | 10 ++++++----
40+ 3 files changed, 30 insertions(+), 4 deletions(-)
41+ create mode 100644 ext/standard/tests/streams/temp_stream_seek.phpt
42+
43+--- /dev/null
44++++ b/ext/standard/tests/streams/temp_stream_seek.phpt
45+@@ -0,0 +1,20 @@
46++--TEST--
47++BUG: php://temp does not preserve file-pointer once it switches from memory to temporary file
48++--FILE--
49++<?php
50++
51++$f = fopen('php://temp/maxmemory:1024', 'r+');
52++fwrite($f, str_repeat("1", 738));
53++fseek($f, 0, SEEK_SET);
54++fwrite($f, str_repeat("2", 512));
55++
56++fseek($f, 0, SEEK_SET);
57++var_dump(fread($f, 16));
58++
59++fseek($f, 0, SEEK_END);
60++var_dump(ftell($f));
61++
62++?>
63++--EXPECT--
64++string(16) "2222222222222222"
65++int(738)
66+--- a/main/streams/memory.c
67++++ b/main/streams/memory.c
68+@@ -345,9 +345,10 @@
69+ return -1;
70+ }
71+ if (php_stream_is(ts->innerstream, PHP_STREAM_IS_MEMORY)) {
72+- zend_string *membuf = php_stream_memory_get_buffer(ts->innerstream);
73+-
74+- if (ZSTR_LEN(membuf) + count >= ts->smax) {
75++ zend_off_t pos = php_stream_tell(ts->innerstream);
76++
77++ if (pos + count >= ts->smax) {
78++ zend_string *membuf = php_stream_memory_get_buffer(ts->innerstream);
79+ php_stream *file = php_stream_fopen_temporary_file(ts->tmpdir, "php", NULL);
80+ if (file == NULL) {
81+ php_error_docref(NULL, E_WARNING, "Unable to create temporary file, Check permissions in temporary files directory.");
82+@@ -357,6 +358,7 @@
83+ php_stream_free_enclosed(ts->innerstream, PHP_STREAM_FREE_CLOSE);
84+ ts->innerstream = file;
85+ php_stream_encloses(stream, ts->innerstream);
86++ php_stream_seek(ts->innerstream, pos, SEEK_SET);
87+ }
88+ }
89+ return php_stream_write(ts->innerstream, buf, count);
90diff --git a/debian/patches/series b/debian/patches/series
91index abf5480..5cf3bfd 100644
92--- a/debian/patches/series
93+++ b/debian/patches/series
94@@ -46,6 +46,7 @@
95 0046-Fix-ssl3-unexpected-eof.patch
96 0047-Update-gcc-func-attr-macro.patch
97 0048-Clear-recorded-errors-before-executing-shutdown-func.patch
98+0049-Preserve-file-position-when-php-temp-switches.patch
99 CVE-2021-21708.patch
100 CVE-2022-31625.patch
101 CVE-2022-31626.patch

Subscribers

People subscribed via source and target branches