Ubuntu
php7.4 package

Merge ~bryce/ubuntu/+source/php7.4:merge-v7o4o5-1-groovy into ubuntu/+source/php7.4:debian/sid

  1. Git
  2. lp:~bryce/ubuntu/+source/php7.4
  3. merge-v7o4o5-1-groovy
  4. Merge into debian/sid
Proposed by Bryce Harrington
Status: Merged
Approved by: Bryce Harrington
Approved revision: 2b891b7c9bd1c343ba5a457d890bd827c3e9b57b
Merge reported by: Bryce Harrington
Merged at revision: 2b891b7c9bd1c343ba5a457d890bd827c3e9b57b
Proposed branch: ~bryce/ubuntu/+source/php7.4:merge-v7o4o5-1-groovy
Merge into: ubuntu/+source/php7.4:debian/sid
Diff against target: 253 lines (+172/-5)
6 files modified
debian/changelog (+90/-0)
debian/control (+4/-1)
debian/control.in (+4/-1)
debian/libapache2-mod-php.postinst.extra (+8/-3)
debian/patches/CVE-2019-11048.patch (+65/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Needs Fixing
Canonical Server Pending
Review via email: mp+387562@code.launchpad.net

Description of the change

Pretty straightforward merge from debian of php7.4. Three CVEs could be dropped since they're included in the upstream release.

There's some warnings in both the source and binary debuilds but nothing remarkable enough to carry delta for. E.g. formatting of stuff in debian/copying, and ISO C warnings about void * pointer handling.

Since this is a point update rather than a transition, we likely will be able to avoid most of the php stack rebuild, but there's usually some random assortment of migration issues to handle as followup.

Usual tags pushed.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/php7.4-merge-v7o4o5-1

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Could you add https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1887826 to the list of bugs being fixed?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

When uploaded you might want to try the new auto-transition tracker at https://people.canonical.com/~ubuntu-archive/transitions/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

v7o4o5 is quite the leetspeek try :-) - what is vtoaos? :-P

Changelog:
- [✓] old content and logical tag match as expected
- [✓] changelog entry correct version and targeted codename
- [x] changelog entries not correct
      Line 23,24 and 29 have invalid indent
- [✓] update-maintainer has been run

Actual changes:
- [✓] no major upstream changes to consider having impact on packaging
- [x] hmm further upstream version to consider
    I know we rebase from Debian, but doing 7.4.5 now while 7.4.8 is available.
    Quite some fixes - how about doing this once for groovy ang going to the July version right
    away instead of the April release?
    7.4.8 seems to be a required CVE anyway
    https://www.php.net/ChangeLog-7.php#7.4.8
    https://www.php.net/releases/7_4_8.php
    If you go ahead of Debian for this or ping Ondřej if he'd mind to bump Debian is up to you.
- [✓] debian changes look safe (only a few in 7.4.4-1)

Old Delta:
- [✓] dropped changes are ok to be dropped
- [✓] nothing else to drop
    Well if we'd go to >=7.4.6 another CVE fix would be part of upstreams code.

    The conflicts for upgrades from former versions have to go through Focal.
    Therefore the conflict with 7.2/7.3 will already have happened.
    This surely covers:
  4 - d/control, d/control.in: Conflict with mod-php from php7.2 and
  5 php7.3 to ensure safe upgrade path for apache2.
  6 (Fixes LP #1850933)
    Maybe even this:
  7 - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
  8 Fixes failure when upgrading from previous versions of mod-php.
  9 (LP 1865218)
    IMHO the related Delta can be dropped now (similar delta will come back
    once moving to 7.5). What do you think?

Bonus - if you agree and go to >=7.4.6 there will be NO Ubuntu Delta left.
So it could be a sync (for a short while).

New Delta:
- [✓] no new patches added

Build/Test:
- [✓] build is ok (I agree the few errors don't warrant extra Delta)
- [✓] verified PPA package installs/uninstalls
   (x86 only build , boo - but it seems I'm generally the only one complaining :-) )
- [✓] I've not seen autopkgtest data, but that will happen before migration so we'd catch it

The fixes in changelog are required but not too impactful, the decisions on Delta and Versions are up to you mostly. Since I'm probably away once you resolved these feel free to ask another reviewer or go on with an upload once you addressed my concerns.

review: Needs Fixing
Revision history for this message
Bryce Harrington (bryce) wrote :

It's a good point about the newer upstream versions, indeed that's why I had originally planned to leave this merge to do in August. But I have +1 maint and a week long vacation in August, so figured it'd be good to tackle it early.

So I think what I'll do is land this now, with the changelog changes you recommend, and plan to do another merge/sync later in the cycle. I think the next major version will be 8.0, not 7.5. So having the 7.4 series updated as much as possible is probably a good idea.

Sorry about only including x86... I'm kicking myself because I've been making an effort to enable all arch's in my PPAs now, but apparently forgot to do so for this one. I wish there was a setting to make that ones' default. Anyway, when there have been arch-specific issues with php they seem to crop up more with the autopkgtests than the build itself.

Revision history for this message
Bryce Harrington (bryce) wrote :

I've applied the changes you recommended, and tagged & pushed 7.4.5:

$ git ubuntu tag --upload
$ git push pkg upload/7.4.5-1ubuntu1
Enumerating objects: 44, done.
Counting objects: 100% (44/44), done.
Delta compression using up to 12 threads
Compressing objects: 100% (35/35), done.
Writing objects: 100% (36/36), 6.51 KiB | 6.51 MiB/s, done.
Total 36 (delta 25), reused 2 (delta 1)
To ssh://git.launchpad.net/ubuntu/+source/php7.4
 * [new tag] upload/7.4.5-1ubuntu1 -> upload/7.4.5-1ubuntu1
$ dput ubuntu php7.4_7.4.5-1ubuntu1_source.changes
Checking signature on .changes
gpg: /home/bryce/pkg/Php7.4/merge-v7.4.5-1/php7.4_7.4.5-1ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: /home/bryce/pkg/Php7.4/merge-v7.4.5-1/php7.4_7.4.5-1ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading php7.4_7.4.5-1ubuntu1.dsc: done.
  Uploading php7.4_7.4.5-1ubuntu1.debian.tar.xz: done.
  Uploading php7.4_7.4.5-1ubuntu1_source.buildinfo: done.
  Uploading php7.4_7.4.5-1ubuntu1_source.changes: done.
Successfully uploaded packages.

I'll add a card to do another php7.4 merge later in the cycle.

Revision history for this message
Bryce Harrington (bryce) wrote :

This transitioned

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index a67d2fe..a05a1d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,37 @@
1php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - d/control, d/control.in: Conflict with mod-php from php7.2 and
5 php7.3 to ensure safe upgrade path for apache2.
6 (Fixes LP #1850933)
7 - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
8 Fixes failure when upgrading from previous versions of mod-php.
9 (LP 1865218)
10 - SECURITY UPDATE: Denial of service through oversized memory allocated
11 + debian/patches/CVE-2019-11048.patch: changes types int to size_t
12 in main/rfc1867.c.
13 + CVE-2019-11048
14 * Dropped:
15 - SECURITY UPDATE: Read one byte of uninitialized memory
16 + debian/patches/CVE-2020-7064.patch: check length in
17 exif_process_TIFF_in_JPEG to avoid read uninitialized memory
18 ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
19 + CVE-2020-7064
20 [Fixed in 7.4.5-1]
21 - SECURITY UPDATE: Memory corruption, crash and potentially code execution
22 + debian/patches/CVE-2020-7065.patch: make sure that negative values are
23 properly compared in ext/mbstring/php_unicode.c,
24 ext/mbstring/tests/bug70371.phpt.
25 + CVE-2020-7065
26 [Fixed in 7.4.5-1]
27 - SECURITY UPDATE: Truncated url due \0
28 + debian/patches/CVE-2020-7066.patch: check for get_headers
29 not accepting \0 in ext/standard/url.c.
30 + CVE-2020-7066
31 [Fixed in 7.4.5-1]
32
33 -- Bryce Harrington <bryce@canonical.com> Thu, 16 Jul 2020 13:20:11 -0700
34
1php7.4 (7.4.5-1) unstable; urgency=medium35php7.4 (7.4.5-1) unstable; urgency=medium
236
3 * New upstream version 7.4.537 * New upstream version 7.4.5
@@ -13,6 +47,62 @@ php7.4 (7.4.4-1) unstable; urgency=medium
1347
14 -- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 14:45:16 +010048 -- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 14:45:16 +0100
1549
50php7.4 (7.4.3-4ubuntu4) groovy; urgency=medium
51
52 * SECURITY UPDATE: Denial of service through oversized memory allocated
53 - debian/patches/CVE-2019-11048.patch: changes types int to size_t
54 in main/rfc1867.c.
55 - CVE-2019-11048
56
57 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Mon, 25 May 2020 09:41:37 -0300
58
59php7.4 (7.4.3-4ubuntu3) groovy; urgency=medium
60
61 * libapache2-mod-php.postinst.extra: Disable other mod-php versions.
62 Fixes failure when upgrading from previous versions of mod-php.
63 (LP: #1865218)
64
65 -- Bryce Harrington <bryce@canonical.com> Tue, 21 Apr 2020 23:04:30 +0000
66
67php7.4 (7.4.3-4ubuntu2) focal; urgency=medium
68
69 * SECURITY UPDATE: Read one byte of uninitialized memory
70 - debian/patches/CVE-2020-7064.patch: check length in
71 exif_process_TIFF_in_JPEG to avoid read uninitialized memory
72 ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
73 - CVE-2020-7064
74 * SECURITY UPDATE: Memory corruption, crash and potentially code execution
75 - debian/patches/CVE-2020-7065.patch: make sure that negative values are
76 properly compared in ext/mbstring/php_unicode.c,
77 ext/mbstring/tests/bug70371.phpt.
78 - CVE-2020-7065
79 * SECURITY UPDATE: Truncated url due \0
80 - debian/patches/CVE-2020-7066.patch: check for get_headers
81 not accepting \0 in ext/standard/url.c.
82 - CVE-2020-7066
83
84 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Mon, 13 Apr 2020 09:32:06 -0300
85
86php7.4 (7.4.3-4ubuntu1) focal; urgency=medium
87
88 * d/control, d/control.in: Conflict with mod-php from php7.2 and
89 php7.3 to ensure safe upgrade path for apache2.
90 (Fixes LP: #1850933)
91
92 -- Bryce Harrington <bryce@canonical.com> Thu, 26 Mar 2020 20:24:23 +0000
93
94php7.4 (7.4.3-4build2) focal; urgency=medium
95
96 * No-change rebuild for icu soname change.
97
98 -- Matthias Klose <doko@ubuntu.com> Tue, 03 Mar 2020 21:34:56 +0100
99
100php7.4 (7.4.3-4build1) focal; urgency=medium
101
102 * No-change rebuild to enable build for i386
103
104 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 25 Feb 2020 14:37:54 -0800
105
16php7.4 (7.4.3-4) unstable; urgency=medium106php7.4 (7.4.3-4) unstable; urgency=medium
17107
18 * Remove /etc/init/php@PHP_VERSION@-fpm.conf, not108 * Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
diff --git a/debian/control b/debian/control
index 3ca9223..8e60773 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: php7.41Source: php7.4
2Section: php2Section: php
3Priority: optional3Priority: optional
4Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
5Uploaders: Ondřej Surý <ondrej@debian.org>,6Uploaders: Ondřej Surý <ondrej@debian.org>,
6 Lior Kaplan <kaplan@debian.org>7 Lior Kaplan <kaplan@debian.org>
7Build-Depends: apache2-dev (>= 2.4),8Build-Depends: apache2-dev (>= 2.4),
@@ -95,6 +96,8 @@ Depends: libmagic1,
95 ${shlibs:Depends}96 ${shlibs:Depends}
96Provides: libapache2-mod-php,97Provides: libapache2-mod-php,
97 ${php:Provides}98 ${php:Provides}
99Conflicts: libapache2-mod-php7.3,
100 libapache2-mod-php7.2
98Recommends: apache2101Recommends: apache2
99Suggests: php-pear102Suggests: php-pear
100Description: server-side, HTML-embedded scripting language (Apache 2 module)103Description: server-side, HTML-embedded scripting language (Apache 2 module)
diff --git a/debian/control.in b/debian/control.in
index 9681703..4432404 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -1,7 +1,8 @@
1Source: php@PHP_VERSION@1Source: php@PHP_VERSION@
2Section: php2Section: php
3Priority: optional3Priority: optional
4Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
5Uploaders: Ondřej Surý <ondrej@debian.org>,6Uploaders: Ondřej Surý <ondrej@debian.org>,
6 Lior Kaplan <kaplan@debian.org>7 Lior Kaplan <kaplan@debian.org>
7Build-Depends: apache2-dev (>= 2.4),8Build-Depends: apache2-dev (>= 2.4),
@@ -95,6 +96,8 @@ Depends: libmagic1,
95 ${shlibs:Depends}96 ${shlibs:Depends}
96Provides: libapache2-mod-php,97Provides: libapache2-mod-php,
97 ${php:Provides}98 ${php:Provides}
99Conflicts: libapache2-mod-php7.3,
100 libapache2-mod-php7.2
98Recommends: apache2101Recommends: apache2
99Suggests: php-pear102Suggests: php-pear
100Description: server-side, HTML-embedded scripting language (Apache 2 module)103Description: server-side, HTML-embedded scripting language (Apache 2 module)
diff --git a/debian/libapache2-mod-php.postinst.extra b/debian/libapache2-mod-php.postinst.extra
index 923e475..6c6ef99 100644
--- a/debian/libapache2-mod-php.postinst.extra
+++ b/debian/libapache2-mod-php.postinst.extra
@@ -13,9 +13,14 @@ if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
13 fi13 fi
1414
15 PHP_MODULE=$(a2query -m | sed -n 's/^\(php[\.0-9]*\) (enabled.*)/\1/p')15 PHP_MODULE=$(a2query -m | sed -n 's/^\(php[\.0-9]*\) (enabled.*)/\1/p')
16 if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then16 if [ -n "$PHP_MODULE" -a "$PHP_MODULE" != "php@PHP_VERSION@" ]; then
17 apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: $PHP_MODULE module already enabled, not enabling PHP @PHP_VERSION@"17 local a2invoke_ret=0
18 return 118 apache2_msg "info" "$DPKG_MAINTSCRIPT_PACKAGE: Disabling old $PHP_MODULE in favor of using PHP @PHP_VERSION@"
19 apache2_invoke dismod $PHP_MODULE || a2invoke_ret=1
20 if [ "${a2invoke_ret}" -ne 0 ]; then
21 apache2_msg "err" "$DPKG_MAINTSCRIPT_PACKAGE: (${a2invoke_ret}) failed to disable old $PHP_MODULE"
22 return 1
23 fi
19 fi24 fi
2025
21 mpm=$(a2query -M)26 mpm=$(a2query -M)
diff --git a/debian/patches/CVE-2019-11048.patch b/debian/patches/CVE-2019-11048.patch
22new file mode 10064427new file mode 100644
index 0000000..e6e73d5
--- /dev/null
+++ b/debian/patches/CVE-2019-11048.patch
@@ -0,0 +1,65 @@
1From a3924ab6542a358a3099de992b63b932a9570add Mon Sep 17 00:00:00 2001
2From: Stanislav Malyshev <stas@php.net>
3Date: Mon, 11 May 2020 14:20:47 -0700
4Subject: [PATCH] Merge branch 'PHP-7.3' into PHP-7.4
5
6* PHP-7.3:
7 Fix #78876: Long variables cause OOM and temp files are not cleaned
8 Fix #78875: Long filenames cause OOM and temp files are not cleaned
9 Update NEWS for 7.2.31
10 Update CREDITS for PHP 7.2.30
11 Update NEWS for PHP 7.2.30
12---
13 main/rfc1867.c | 11 ++++++-----
14 1 file changed, 6 insertions(+), 5 deletions(-)
15
16diff --git a/main/rfc1867.c b/main/rfc1867.c
17index 1ee7b925a1b9..8bdc409296ae 100644
18--- a/main/rfc1867.c
19+++ b/main/rfc1867.c
20@@ -606,7 +606,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
21 }
22
23 /* read until a boundary condition */
24-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
25+static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
26 {
27 size_t len, max;
28 char *bound;
29@@ -645,7 +645,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
30 self->buf_begin += len;
31 }
32
33- return (int)len;
34+ return len;
35 }
36
37 /*
38@@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
39 static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
40 {
41 char buf[FILLUNIT], *out=NULL;
42- int total_bytes=0, read_bytes=0;
43+ size_t total_bytes=0, read_bytes=0;
44
45 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
46 out = erealloc(out, total_bytes + read_bytes + 1);
47@@ -682,7 +682,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
48 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
49 char *lbuf = NULL, *abuf = NULL;
50 zend_string *temp_filename = NULL;
51- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
52+ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
53+ size_t array_len = 0;
54 int64_t total_bytes = 0, max_file_size = 0;
55 int skip_upload = 0, anonindex = 0, is_anonymous;
56 HashTable *uploaded_files = NULL;
57@@ -1116,7 +1117,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
58 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
59
60 if (is_arr_upload) {
61- array_len = (int)strlen(start_arr);
62+ array_len = strlen(start_arr);
63 if (array_index) {
64 efree(array_index);
65 }
diff --git a/debian/patches/series b/debian/patches/series
index 1784689..4d4e247 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,3 +38,4 @@
380038-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch380038-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch
390039-Fix-ext-date-lib-parse_tz-PATH_MAX-HURD-FTBFS.patch390039-Fix-ext-date-lib-parse_tz-PATH_MAX-HURD-FTBFS.patch
400040-Amend-C-11-for-intl-compilation-on-older-distributio.patch400040-Amend-C-11-for-intl-compilation-on-older-distributio.patch
41CVE-2019-11048.patch

Subscribers

People subscribed via source and target branches