Merge ~bryce/ubuntu/+source/php7.4:merge-v7o4o5-1-groovy into ubuntu/+source/php7.4:debian/sid

Proposed by Bryce Harrington on 2020-07-16
Status: Merged
Approved by: Bryce Harrington on 2020-07-17
Approved revision: 2b891b7c9bd1c343ba5a457d890bd827c3e9b57b
Merge reported by: Bryce Harrington
Merged at revision: 2b891b7c9bd1c343ba5a457d890bd827c3e9b57b
Proposed branch: ~bryce/ubuntu/+source/php7.4:merge-v7o4o5-1-groovy
Merge into: ubuntu/+source/php7.4:debian/sid
Diff against target: 253 lines (+172/-5)
6 files modified
debian/changelog (+90/-0)
debian/control (+4/-1)
debian/control.in (+4/-1)
debian/libapache2-mod-php.postinst.extra (+8/-3)
debian/patches/CVE-2019-11048.patch (+65/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-07-16 Needs Fixing on 2020-07-17
Canonical Server Team 2020-07-16 Pending
Review via email: mp+387562@code.launchpad.net

Description of the change

Pretty straightforward merge from debian of php7.4. Three CVEs could be dropped since they're included in the upstream release.

There's some warnings in both the source and binary debuilds but nothing remarkable enough to carry delta for. E.g. formatting of stuff in debian/copying, and ISO C warnings about void * pointer handling.

Since this is a point update rather than a transition, we likely will be able to avoid most of the php stack rebuild, but there's usually some random assortment of migration issues to handle as followup.

Usual tags pushed.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/php7.4-merge-v7o4o5-1

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Could you add https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1887826 to the list of bugs being fixed?

Christian Ehrhardt  (paelzer) wrote :

When uploaded you might want to try the new auto-transition tracker at https://people.canonical.com/~ubuntu-archive/transitions/

Christian Ehrhardt  (paelzer) wrote :

v7o4o5 is quite the leetspeek try :-) - what is vtoaos? :-P

Changelog:
- [✓] old content and logical tag match as expected
- [✓] changelog entry correct version and targeted codename
- [x] changelog entries not correct
      Line 23,24 and 29 have invalid indent
- [✓] update-maintainer has been run

Actual changes:
- [✓] no major upstream changes to consider having impact on packaging
- [x] hmm further upstream version to consider
    I know we rebase from Debian, but doing 7.4.5 now while 7.4.8 is available.
    Quite some fixes - how about doing this once for groovy ang going to the July version right
    away instead of the April release?
    7.4.8 seems to be a required CVE anyway
    https://www.php.net/ChangeLog-7.php#7.4.8
    https://www.php.net/releases/7_4_8.php
    If you go ahead of Debian for this or ping Ondřej if he'd mind to bump Debian is up to you.
- [✓] debian changes look safe (only a few in 7.4.4-1)

Old Delta:
- [✓] dropped changes are ok to be dropped
- [✓] nothing else to drop
    Well if we'd go to >=7.4.6 another CVE fix would be part of upstreams code.

    The conflicts for upgrades from former versions have to go through Focal.
    Therefore the conflict with 7.2/7.3 will already have happened.
    This surely covers:
  4 - d/control, d/control.in: Conflict with mod-php from php7.2 and
  5 php7.3 to ensure safe upgrade path for apache2.
  6 (Fixes LP #1850933)
    Maybe even this:
  7 - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
  8 Fixes failure when upgrading from previous versions of mod-php.
  9 (LP 1865218)
    IMHO the related Delta can be dropped now (similar delta will come back
    once moving to 7.5). What do you think?

Bonus - if you agree and go to >=7.4.6 there will be NO Ubuntu Delta left.
So it could be a sync (for a short while).

New Delta:
- [✓] no new patches added

Build/Test:
- [✓] build is ok (I agree the few errors don't warrant extra Delta)
- [✓] verified PPA package installs/uninstalls
   (x86 only build , boo - but it seems I'm generally the only one complaining :-) )
- [✓] I've not seen autopkgtest data, but that will happen before migration so we'd catch it

The fixes in changelog are required but not too impactful, the decisions on Delta and Versions are up to you mostly. Since I'm probably away once you resolved these feel free to ask another reviewer or go on with an upload once you addressed my concerns.

review: Needs Fixing
Bryce Harrington (bryce) wrote :

It's a good point about the newer upstream versions, indeed that's why I had originally planned to leave this merge to do in August. But I have +1 maint and a week long vacation in August, so figured it'd be good to tackle it early.

So I think what I'll do is land this now, with the changelog changes you recommend, and plan to do another merge/sync later in the cycle. I think the next major version will be 8.0, not 7.5. So having the 7.4 series updated as much as possible is probably a good idea.

Sorry about only including x86... I'm kicking myself because I've been making an effort to enable all arch's in my PPAs now, but apparently forgot to do so for this one. I wish there was a setting to make that ones' default. Anyway, when there have been arch-specific issues with php they seem to crop up more with the autopkgtests than the build itself.

Bryce Harrington (bryce) wrote :

I've applied the changes you recommended, and tagged & pushed 7.4.5:

$ git ubuntu tag --upload
$ git push pkg upload/7.4.5-1ubuntu1
Enumerating objects: 44, done.
Counting objects: 100% (44/44), done.
Delta compression using up to 12 threads
Compressing objects: 100% (35/35), done.
Writing objects: 100% (36/36), 6.51 KiB | 6.51 MiB/s, done.
Total 36 (delta 25), reused 2 (delta 1)
To ssh://git.launchpad.net/ubuntu/+source/php7.4
 * [new tag] upload/7.4.5-1ubuntu1 -> upload/7.4.5-1ubuntu1
$ dput ubuntu php7.4_7.4.5-1ubuntu1_source.changes
Checking signature on .changes
gpg: /home/bryce/pkg/Php7.4/merge-v7.4.5-1/php7.4_7.4.5-1ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: /home/bryce/pkg/Php7.4/merge-v7.4.5-1/php7.4_7.4.5-1ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading php7.4_7.4.5-1ubuntu1.dsc: done.
  Uploading php7.4_7.4.5-1ubuntu1.debian.tar.xz: done.
  Uploading php7.4_7.4.5-1ubuntu1_source.buildinfo: done.
  Uploading php7.4_7.4.5-1ubuntu1_source.changes: done.
Successfully uploaded packages.

I'll add a card to do another php7.4 merge later in the cycle.

Bryce Harrington (bryce) wrote :

This transitioned

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index a67d2fe..a05a1d8 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,37 @@
6+php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/control, d/control.in: Conflict with mod-php from php7.2 and
10+ php7.3 to ensure safe upgrade path for apache2.
11+ (Fixes LP #1850933)
12+ - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
13+ Fixes failure when upgrading from previous versions of mod-php.
14+ (LP 1865218)
15+ - SECURITY UPDATE: Denial of service through oversized memory allocated
16+ + debian/patches/CVE-2019-11048.patch: changes types int to size_t
17+ in main/rfc1867.c.
18+ + CVE-2019-11048
19+ * Dropped:
20+ - SECURITY UPDATE: Read one byte of uninitialized memory
21+ + debian/patches/CVE-2020-7064.patch: check length in
22+ exif_process_TIFF_in_JPEG to avoid read uninitialized memory
23+ ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
24+ + CVE-2020-7064
25+ [Fixed in 7.4.5-1]
26+ - SECURITY UPDATE: Memory corruption, crash and potentially code execution
27+ + debian/patches/CVE-2020-7065.patch: make sure that negative values are
28+ properly compared in ext/mbstring/php_unicode.c,
29+ ext/mbstring/tests/bug70371.phpt.
30+ + CVE-2020-7065
31+ [Fixed in 7.4.5-1]
32+ - SECURITY UPDATE: Truncated url due \0
33+ + debian/patches/CVE-2020-7066.patch: check for get_headers
34+ not accepting \0 in ext/standard/url.c.
35+ + CVE-2020-7066
36+ [Fixed in 7.4.5-1]
37+
38+ -- Bryce Harrington <bryce@canonical.com> Thu, 16 Jul 2020 13:20:11 -0700
39+
40 php7.4 (7.4.5-1) unstable; urgency=medium
41
42 * New upstream version 7.4.5
43@@ -13,6 +47,62 @@ php7.4 (7.4.4-1) unstable; urgency=medium
44
45 -- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 14:45:16 +0100
46
47+php7.4 (7.4.3-4ubuntu4) groovy; urgency=medium
48+
49+ * SECURITY UPDATE: Denial of service through oversized memory allocated
50+ - debian/patches/CVE-2019-11048.patch: changes types int to size_t
51+ in main/rfc1867.c.
52+ - CVE-2019-11048
53+
54+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Mon, 25 May 2020 09:41:37 -0300
55+
56+php7.4 (7.4.3-4ubuntu3) groovy; urgency=medium
57+
58+ * libapache2-mod-php.postinst.extra: Disable other mod-php versions.
59+ Fixes failure when upgrading from previous versions of mod-php.
60+ (LP: #1865218)
61+
62+ -- Bryce Harrington <bryce@canonical.com> Tue, 21 Apr 2020 23:04:30 +0000
63+
64+php7.4 (7.4.3-4ubuntu2) focal; urgency=medium
65+
66+ * SECURITY UPDATE: Read one byte of uninitialized memory
67+ - debian/patches/CVE-2020-7064.patch: check length in
68+ exif_process_TIFF_in_JPEG to avoid read uninitialized memory
69+ ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
70+ - CVE-2020-7064
71+ * SECURITY UPDATE: Memory corruption, crash and potentially code execution
72+ - debian/patches/CVE-2020-7065.patch: make sure that negative values are
73+ properly compared in ext/mbstring/php_unicode.c,
74+ ext/mbstring/tests/bug70371.phpt.
75+ - CVE-2020-7065
76+ * SECURITY UPDATE: Truncated url due \0
77+ - debian/patches/CVE-2020-7066.patch: check for get_headers
78+ not accepting \0 in ext/standard/url.c.
79+ - CVE-2020-7066
80+
81+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Mon, 13 Apr 2020 09:32:06 -0300
82+
83+php7.4 (7.4.3-4ubuntu1) focal; urgency=medium
84+
85+ * d/control, d/control.in: Conflict with mod-php from php7.2 and
86+ php7.3 to ensure safe upgrade path for apache2.
87+ (Fixes LP: #1850933)
88+
89+ -- Bryce Harrington <bryce@canonical.com> Thu, 26 Mar 2020 20:24:23 +0000
90+
91+php7.4 (7.4.3-4build2) focal; urgency=medium
92+
93+ * No-change rebuild for icu soname change.
94+
95+ -- Matthias Klose <doko@ubuntu.com> Tue, 03 Mar 2020 21:34:56 +0100
96+
97+php7.4 (7.4.3-4build1) focal; urgency=medium
98+
99+ * No-change rebuild to enable build for i386
100+
101+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 25 Feb 2020 14:37:54 -0800
102+
103 php7.4 (7.4.3-4) unstable; urgency=medium
104
105 * Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
106diff --git a/debian/control b/debian/control
107index 3ca9223..8e60773 100644
108--- a/debian/control
109+++ b/debian/control
110@@ -1,7 +1,8 @@
111 Source: php7.4
112 Section: php
113 Priority: optional
114-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
115+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
116+XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
117 Uploaders: Ondřej Surý <ondrej@debian.org>,
118 Lior Kaplan <kaplan@debian.org>
119 Build-Depends: apache2-dev (>= 2.4),
120@@ -95,6 +96,8 @@ Depends: libmagic1,
121 ${shlibs:Depends}
122 Provides: libapache2-mod-php,
123 ${php:Provides}
124+Conflicts: libapache2-mod-php7.3,
125+ libapache2-mod-php7.2
126 Recommends: apache2
127 Suggests: php-pear
128 Description: server-side, HTML-embedded scripting language (Apache 2 module)
129diff --git a/debian/control.in b/debian/control.in
130index 9681703..4432404 100644
131--- a/debian/control.in
132+++ b/debian/control.in
133@@ -1,7 +1,8 @@
134 Source: php@PHP_VERSION@
135 Section: php
136 Priority: optional
137-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
138+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
139+XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
140 Uploaders: Ondřej Surý <ondrej@debian.org>,
141 Lior Kaplan <kaplan@debian.org>
142 Build-Depends: apache2-dev (>= 2.4),
143@@ -95,6 +96,8 @@ Depends: libmagic1,
144 ${shlibs:Depends}
145 Provides: libapache2-mod-php,
146 ${php:Provides}
147+Conflicts: libapache2-mod-php7.3,
148+ libapache2-mod-php7.2
149 Recommends: apache2
150 Suggests: php-pear
151 Description: server-side, HTML-embedded scripting language (Apache 2 module)
152diff --git a/debian/libapache2-mod-php.postinst.extra b/debian/libapache2-mod-php.postinst.extra
153index 923e475..6c6ef99 100644
154--- a/debian/libapache2-mod-php.postinst.extra
155+++ b/debian/libapache2-mod-php.postinst.extra
156@@ -13,9 +13,14 @@ if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
157 fi
158
159 PHP_MODULE=$(a2query -m | sed -n 's/^\(php[\.0-9]*\) (enabled.*)/\1/p')
160- if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then
161- apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: $PHP_MODULE module already enabled, not enabling PHP @PHP_VERSION@"
162- return 1
163+ if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then
164+ local a2invoke_ret=0
165+ apache2_msg "info" "$DPKG_MAINTSCRIPT_PACKAGE: Disabling old $PHP_MODULE in favor of using PHP @PHP_VERSION@"
166+ apache2_invoke dismod $PHP_MODULE || a2invoke_ret=1
167+ if [ "${a2invoke_ret}" -ne 0 ]; then
168+ apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: (${a2invoke_ret}) failed to disable old $PHP_MODULE"
169+ return 1
170+ fi
171 fi
172
173 mpm=$(a2query -M)
174diff --git a/debian/patches/CVE-2019-11048.patch b/debian/patches/CVE-2019-11048.patch
175new file mode 100644
176index 0000000..e6e73d5
177--- /dev/null
178+++ b/debian/patches/CVE-2019-11048.patch
179@@ -0,0 +1,65 @@
180+From a3924ab6542a358a3099de992b63b932a9570add Mon Sep 17 00:00:00 2001
181+From: Stanislav Malyshev <stas@php.net>
182+Date: Mon, 11 May 2020 14:20:47 -0700
183+Subject: [PATCH] Merge branch 'PHP-7.3' into PHP-7.4
184+
185+* PHP-7.3:
186+ Fix #78876: Long variables cause OOM and temp files are not cleaned
187+ Fix #78875: Long filenames cause OOM and temp files are not cleaned
188+ Update NEWS for 7.2.31
189+ Update CREDITS for PHP 7.2.30
190+ Update NEWS for PHP 7.2.30
191+---
192+ main/rfc1867.c | 11 ++++++-----
193+ 1 file changed, 6 insertions(+), 5 deletions(-)
194+
195+diff --git a/main/rfc1867.c b/main/rfc1867.c
196+index 1ee7b925a1b9..8bdc409296ae 100644
197+--- a/main/rfc1867.c
198++++ b/main/rfc1867.c
199+@@ -606,7 +606,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
200+ }
201+
202+ /* read until a boundary condition */
203+-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
204++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
205+ {
206+ size_t len, max;
207+ char *bound;
208+@@ -645,7 +645,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
209+ self->buf_begin += len;
210+ }
211+
212+- return (int)len;
213++ return len;
214+ }
215+
216+ /*
217+@@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
218+ static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
219+ {
220+ char buf[FILLUNIT], *out=NULL;
221+- int total_bytes=0, read_bytes=0;
222++ size_t total_bytes=0, read_bytes=0;
223+
224+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
225+ out = erealloc(out, total_bytes + read_bytes + 1);
226+@@ -682,7 +682,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
227+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
228+ char *lbuf = NULL, *abuf = NULL;
229+ zend_string *temp_filename = NULL;
230+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
231++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
232++ size_t array_len = 0;
233+ int64_t total_bytes = 0, max_file_size = 0;
234+ int skip_upload = 0, anonindex = 0, is_anonymous;
235+ HashTable *uploaded_files = NULL;
236+@@ -1116,7 +1117,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
237+ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
238+
239+ if (is_arr_upload) {
240+- array_len = (int)strlen(start_arr);
241++ array_len = strlen(start_arr);
242+ if (array_index) {
243+ efree(array_index);
244+ }
245diff --git a/debian/patches/series b/debian/patches/series
246index 1784689..4d4e247 100644
247--- a/debian/patches/series
248+++ b/debian/patches/series
249@@ -38,3 +38,4 @@
250 0038-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch
251 0039-Fix-ext-date-lib-parse_tz-PATH_MAX-HURD-FTBFS.patch
252 0040-Amend-C-11-for-intl-compilation-on-older-distributio.patch
253+CVE-2019-11048.patch

Subscribers

People subscribed via source and target branches