Received: by mail.netbsd.org (Postfix, from userid 605) id BEE4484D69; Fri, 17 Aug 2018 16:04:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id B2AC484D3C for ; Fri, 17 Aug 2018 16:04:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id D4DU07V-YRGu for ; Fri, 17 Aug 2018 16:04:01 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 1DC5884C78 for ; Fri, 17 Aug 2018 16:04:01 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 1B3AAFBEC; Fri, 17 Aug 2018 16:04:01 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1534521841610" MIME-Version: 1.0 Date: Fri, 17 Aug 2018 16:04:01 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2018Q2] pkgsrc/lang To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20180817160401.1B3AAFBEC@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1534521841610 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Fri Aug 17 16:04:01 UTC 2018 Modified Files: pkgsrc/lang/php [pkgsrc-2018Q2]: phpversion.mk pkgsrc/lang/php71 [pkgsrc-2018Q2]: Makefile Makefile.php distinfo Added Files: pkgsrc/lang/php71/patches [pkgsrc-2018Q2]: patch-disable-filter-url Log Message: Pullup ticket #5797 - requested by taca lang/php71: security fix Revisions pulled up: - lang/php/phpversion.mk 1.222 - lang/php71/Makefile 1.14-1.15 - lang/php71/Makefile.php 1.7-1.8 - lang/php71/distinfo 1.39-1.40 - lang/php71/patches/patch-disable-filter-url 1.1 --- Module Name: pkgsrc Committed By: maya Date: Mon Jul 16 10:58:50 UTC 2018 Modified Files: pkgsrc/lang/php70: Makefile Makefile.php pkgsrc/lang/php71: Makefile Makefile.php pkgsrc/lang/php72: Makefile Makefile.php Log Message: php*: disable global regs on i386. Fixes PR pkg/53222 that resurfaced Remove the previous workaround to add GCC_REQD, which isn't sufficient any more, possibly due to enabling ssp/fortify? XXX bumping PKGREVISION might not be sufficient, for the same reason the GCC_REQD had to be moved to Makefile.php, it affects modules too. --- Module Name: pkgsrc Committed By: manu Date: Wed Jul 18 07:33:12 UTC 2018 Modified Files: pkgsrc/lang/php56: Makefile.php distinfo pkgsrc/lang/php70: Makefile.php distinfo pkgsrc/lang/php71: Makefile.php distinfo pkgsrc/lang/php72: Makefile.php distinfo Added Files: pkgsrc/lang/php56/patches: patch-disable-filter-url pkgsrc/lang/php70/patches: patch-disable-filter-url pkgsrc/lang/php71/patches: patch-disable-filter-url pkgsrc/lang/php72/patches: patch-disable-filter-url Log Message: Add pkgsrc build option disable-filter-url to disable php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this option makes that possible. --- Module Name: pkgsrc Committed By: taca Date: Fri Jul 20 13:23:47 UTC 2018 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php71: Makefile distinfo Log Message: lang/php71: update to 7.1.20 19 Jul 2018, PHP 7.1.20 - Core: . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references with an error handler). (Laruence) . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize properly). (Nikita) - Date: . Fixed bug #76462 (Undefined property: DateInterval::$f). (Anatol) - exif: . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (Stas) . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (Stas) - FPM: . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to non-blocking). (Nikita) - GMP: . Fixed bug #74670 (Integer Underflow when unserializing GMP and possible other classes). (Nikita) - intl: . Fixed bug #76556 (get_debug_info handler for BreakIterator shows wrong type). (cmb) - mbstring: . Fixed bug #76532 (Integer overflow and excessive memory usage in mb_strimwidth). (MarcusSchwarz) - PGSQL: . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol) - phpdbg: . Fix arginfo wrt. optional/required parameters. (cmb) - Reflection: . Fixed bug #76536 (PHP crashes with core dump when throwing exception in error handler). (Laruence) . Fixed bug #75231 (ReflectionProperty#getValue() incorrectly works with inherited classes). (Nikita) - Standard: . Fixed bug #76505 (array_merge_recursive() is duplicating sub-array keys). (Laruence) . Fixed bug #71848 (getimagesize with $imageinfo returns false). (cmb) - Win32: . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol) To generate a diff of this commit: cvs rdiff -u -r1.221 -r1.221.2.1 pkgsrc/lang/php/phpversion.mk cvs rdiff -u -r1.13 -r1.13.6.1 pkgsrc/lang/php71/Makefile cvs rdiff -u -r1.6 -r1.6.10.1 pkgsrc/lang/php71/Makefile.php cvs rdiff -u -r1.38 -r1.38.2.1 pkgsrc/lang/php71/distinfo cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/lang/php71/patches/patch-disable-filter-url Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1534521841610 Content-Disposition: inline Content-Length: 5965 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/lang/php/phpversion.mk diff -u pkgsrc/lang/php/phpversion.mk:1.221 pkgsrc/lang/php/phpversion.mk:1.221.2.1 --- pkgsrc/lang/php/phpversion.mk:1.221 Mon Jun 25 15:19:22 2018 +++ pkgsrc/lang/php/phpversion.mk Fri Aug 17 16:04:00 2018 @@ -1,4 +1,4 @@ -# $NetBSD: phpversion.mk,v 1.221 2018/06/25 15:19:22 taca Exp $ +# $NetBSD: phpversion.mk,v 1.221.2.1 2018/08/17 16:04:00 bsiegert Exp $ # # This file selects a PHP version, based on the user's preferences and # the installed packages. It does not add a dependency on the PHP @@ -89,7 +89,7 @@ PHPVERSION_MK= defined # Define each PHP's version. PHP56_VERSION= 5.6.36 PHP70_VERSION= 7.0.30 -PHP71_VERSION= 7.1.19 +PHP71_VERSION= 7.1.20 PHP72_VERSION= 7.2.7 # Define initial release of major version. Index: pkgsrc/lang/php71/Makefile diff -u pkgsrc/lang/php71/Makefile:1.13 pkgsrc/lang/php71/Makefile:1.13.6.1 --- pkgsrc/lang/php71/Makefile:1.13 Fri Oct 27 08:47:49 2017 +++ pkgsrc/lang/php71/Makefile Fri Aug 17 16:04:00 2018 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.13 2017/10/27 08:47:49 taca Exp $ +# $NetBSD: Makefile,v 1.13.6.1 2018/08/17 16:04:00 bsiegert Exp $ # # We can't omit PKGNAME here to handle PKG_OPTIONS. @@ -48,6 +48,12 @@ INSTALLATION_DIRS+= ${CGIDIR} ${PHP_EXTE CONFIGURE_ARGS+= --without-pcre-jit .endif +# segfaults when buidling with many compilers +# https://bugs.php.net/bug.php?id=74527 +.if ${MACHINE_ARCH} == "i386" +CONFIGURE_ARGS+= --disable-gcc-global-regs +.endif + # Make sure modules can link correctly .if ${OPSYS} == "Darwin" INSTALL_UNSTRIPPED= yes Index: pkgsrc/lang/php71/Makefile.php diff -u pkgsrc/lang/php71/Makefile.php:1.6 pkgsrc/lang/php71/Makefile.php:1.6.10.1 --- pkgsrc/lang/php71/Makefile.php:1.6 Fri Aug 4 23:08:47 2017 +++ pkgsrc/lang/php71/Makefile.php Fri Aug 17 16:04:00 2018 @@ -1,13 +1,8 @@ -# $NetBSD: Makefile.php,v 1.6 2017/08/04 23:08:47 taca Exp $ +# $NetBSD: Makefile.php,v 1.6.10.1 2018/08/17 16:04:00 bsiegert Exp $ # used by lang/php71/Makefile # used by www/ap-php/Makefile # used by www/php-fpm/Makefile -# PHP bug #74526 - segfaults on build with GCC 4.8.5 i386 -.if ${MACHINE_ARCH} == "i386" -GCC_REQD+= 4.9 -.endif - .include "../../lang/php71/Makefile.common" DISTINFO_FILE= ${.CURDIR}/../../lang/php71/distinfo @@ -45,7 +40,7 @@ CONFIGURE_ARGS+= --with-libxml-dir=${PRE .include "../../textproc/libxml2/buildlink3.mk" PKG_OPTIONS_VAR= PKG_OPTIONS.${PHP_PKG_PREFIX} -PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline +PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline disable-filter-url PKG_SUGGESTED_OPTIONS+= inet6 ssl readline .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD" @@ -92,5 +87,9 @@ CONFIGURE_ARGS+= --enable-dtrace INSTALL_MAKE_FLAGS+= -r .endif +.if !empty(PKG_OPTIONS:Mdisable-filter-url) +CFLAGS+= -DDISABLE_FILTER_URL +.endif + DL_AUTO_VARS= yes .include "../../mk/dlopen.buildlink3.mk" Index: pkgsrc/lang/php71/distinfo diff -u pkgsrc/lang/php71/distinfo:1.38 pkgsrc/lang/php71/distinfo:1.38.2.1 --- pkgsrc/lang/php71/distinfo:1.38 Mon Jun 25 15:19:22 2018 +++ pkgsrc/lang/php71/distinfo Fri Aug 17 16:04:00 2018 @@ -1,11 +1,12 @@ -$NetBSD: distinfo,v 1.38 2018/06/25 15:19:22 taca Exp $ +$NetBSD: distinfo,v 1.38.2.1 2018/08/17 16:04:00 bsiegert Exp $ -SHA1 (php-7.1.19.tar.bz2) = 2010c911e34ec01e94697567d13eb29e49ac3045 -RMD160 (php-7.1.19.tar.bz2) = f8fbc7f0218954938fe5b37b91160fe093839288 -SHA512 (php-7.1.19.tar.bz2) = d19ca6063f71c0265111ec0d218a123af6eada6158ef0135a3fe3a30a0e7517dc12a58f955e52aa243725473600b44b94eb0535843d822ec97436518d88a2b68 -Size (php-7.1.19.tar.bz2) = 15147029 bytes +SHA1 (php-7.1.20.tar.bz2) = 1ea8720fdea3a5212196b0f6a6f11a0eff26fc83 +RMD160 (php-7.1.20.tar.bz2) = 059ffa8a1e5026167511e2695f7f6ec60278ea9f +SHA512 (php-7.1.20.tar.bz2) = c29a20e018c0066fb42ef2e08cd7be5f071bb0f6288f461fd6591b63b5ea2d8a5e06a94905319fb971e60e4e91ea496519206efb4e78b06c730e2ea82eeaf02f +Size (php-7.1.20.tar.bz2) = 15166442 bytes SHA1 (patch-acinclude.m4) = b682280fd89950c082c2226bdb7364b0dc475bad SHA1 (patch-configure) = 862707ff3fd8b8d7312104bb44a48fe8379951bd +SHA1 (patch-disable-filter-url) = e9e92d686ddd1d1a1ece10fe4feee4e368fe510c SHA1 (patch-ext_gd_config.m4) = 93b62daad93b9ee6dc28e06016f739bc26b0dc9f SHA1 (patch-ext_imap_config.m4) = f4e10ab81697b72019313f63bc630627a08efd92 SHA1 (patch-ext_intl_config.m4) = 5192f8e8fa32939c62a734421463edd294372282 Added files: Index: pkgsrc/lang/php71/patches/patch-disable-filter-url diff -u /dev/null pkgsrc/lang/php71/patches/patch-disable-filter-url:1.1.2.2 --- /dev/null Fri Aug 17 16:04:01 2018 +++ pkgsrc/lang/php71/patches/patch-disable-filter-url Fri Aug 17 16:04:00 2018 @@ -0,0 +1,34 @@ +$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 16:04:00 bsiegert Exp $ + +Add build-time disable option for dangerous php://filter URL + +php://filter URL is a feature documented here: +http://php.net/manual/en/wrappers.php.php + +Unfortunately, it allows remote control of include() behavior +beyond what many developpers expected, enabling easy dump of +PHP source files. The administrator may want to disable the +feature for security sake, and this patch makes that possible. + +--- ./ext/standard/php_fopen_wrapper.c.orig ++++ ./ext/standard/php_fopen_wrapper.c +@@ -345,8 +345,9 @@ + "Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: " + "[%d]: %s", fildes_ori, errno, strerror(errno)); + return NULL; + } ++#ifndef DISABLE_FILTER_URL + } else if (!strncasecmp(path, "filter/", 7)) { + /* Save time/memory when chain isn't specified */ + if (strchr(mode, 'r') || strchr(mode, '+')) { + mode_rw |= PHP_STREAM_FILTER_READ; +@@ -382,8 +383,9 @@ + } + efree(pathdup); + + return stream; ++#endif /* !DISABLE_FILTER_URL */ + } else { + /* invalid php://thingy */ + php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified"); + return NULL; --_----------=_1534521841610--