Your message dated Tue, 18 Apr 2023 13:56:26 +0200
with message-id <[email protected]>
and subject line php5 has been superseded by php7
has caused the Debian Bug report #890266,
regarding php5-common: 
0050-Detect-invalid-port-in-xp_socket-parse-ip-address.patch incomplete
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
890266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890266
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php5-common
Version: 5.6.33+dfsg-0+deb8u1
Severity: important
Tags: patch

There was a bug reported and fixed:
https://bugs.php.net/bug.php?id=74216
https://security-tracker.debian.org/tracker/CVE-2017-7272

The fix consisted of two parts, first:
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
the fix had a big impact on applications relying on the "feature"
```
php5 -r 'print fsockopen("tcp://127.0.0.1:80/foo");'
```

Because of the heavy impact, a fixfix was released:
https://github.com/php/php-src/commit/cda7dcf4cacef3346f9dc2a4dc947e6a74769259

Now, security.debian.org offers 5.6.33+dfsg-0+deb8u1 whcih includes the
following patch:
https://sources.debian.org/src/php5/5.6.33+dfsg-0+deb8u1/debian/patches/0050
-Detect-invalid-port-in-xp_socket-parse-ip-address.patch/

But this is only part 1 of the fix. With this patch, the provided call above
doesn't work anymore.
This means we have to hold back the update. Magento(ecommerce) + Redis won't
work with this incomplete patch.

Please consider removing the patch or completing it with the fixfix.



-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-42-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}
>From cda7dcf4cacef3346f9dc2a4dc947e6a74769259 Mon Sep 17 00:00:00 2001
From: Sara Golemon <[email protected]>
Date: Tue, 25 Apr 2017 12:52:48 +0200
Subject: [PATCH] Follow up patch regarding bug #74216, see bug #74429

While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
---
 main/streams/xp_socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/streams/xp_socket.c b/main/streams/xp_socket.c
index 3ff64787aa14..92be33326081 100644
--- a/main/streams/xp_socket.c
+++ b/main/streams/xp_socket.c
@@ -581,7 +581,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 			return NULL;
 		}
 		*portno = strtol(p + 2, &e, 10);
-		if (e && *e) {
+		if (e && *e && *e != '/') {
 			if (get_err) {
 				*err = strpprintf(0, "Failed to parse address \"%s\"", str);
 			}
@@ -600,7 +600,7 @@ static inline char *parse_ip_address_ex(const char *str, size_t str_len, int *po
 	if (colon) {
 		char *e = NULL;
 		*portno = strtol(colon + 1, &e, 10);
-		if (!e || !*e) {
+		if (!e || !*e || *e == '/') {
 			return estrndup(str, colon - str);
 		}
 	}

--- End Message ---
--- Begin Message ---
Version: 5.6.26+dfsg-1+rm

php5 was last released with Debian 8 (jessie) in April 2015
and was removed from the Debian archive afterwards.
It has been superseded by php7.0 and newer versions.
See https://bugs.debian.org/841781 for details on the removal.
Regular security support for jessie ended in June 2018 and LTS support ended in June 2020.
I'm closing the remaining bug reports now.

Andreas

--- End Message ---

Reply via email to