Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1126796,
regarding trixie-pu: package phpunit/11.5.19-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126796
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:phpunit
User: [email protected]
Usertags: pu
Hi,
As agreed with the security team, I’d like to get CVE-2026-24765 fixed
via a point release.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance for considering.
Regards,
taffit
diff -Nru phpunit-11.5.19/debian/changelog phpunit-11.5.19/debian/changelog
--- phpunit-11.5.19/debian/changelog 2025-05-03 07:36:49.000000000 +0200
+++ phpunit-11.5.19/debian/changelog 2026-01-29 06:09:18.000000000 +0100
@@ -1,3 +1,11 @@
+phpunit (11.5.19-1+deb13u1) trixie; urgency=medium
+
+ * Track debian/trixie
+ * Fix Unsafe Deserialization in PHPT Code Coverage Handling [CVE-2026-24765]
+ * Workaround empty file not added by patch
+
+ -- David Prévot <[email protected]> Thu, 29 Jan 2026 06:09:18 +0100
+
phpunit (11.5.19-1) unstable; urgency=medium
[ Sebastian Bergmann ]
diff -Nru phpunit-11.5.19/debian/clean phpunit-11.5.19/debian/clean
--- phpunit-11.5.19/debian/clean 2025-05-03 07:35:48.000000000 +0200
+++ phpunit-11.5.19/debian/clean 2026-01-29 06:09:18.000000000 +0100
@@ -7,6 +7,7 @@
tests/_files/.phpunit.result.cache
tests/_files/*/.phpunit.result.cache
tests/basic/.phpunit.result.cache
+tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
tests/end-to-end/force-covers-annotation/.phpunit.result.cache
tests/end-to-end/*/*/.phpunit.result.cache
tests/end-to-end/regression/GitHub/*/.phpunit.result.cache
diff -Nru phpunit-11.5.19/debian/control phpunit-11.5.19/debian/control
--- phpunit-11.5.19/debian/control 2025-05-03 07:35:48.000000000 +0200
+++ phpunit-11.5.19/debian/control 2026-01-29 06:09:18.000000000 +0100
@@ -27,7 +27,7 @@
phpunit-type (>= 5)
Standards-Version: 4.7.2
Rules-Requires-Root: no
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/11
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/trixie
Vcs-Browser: https://salsa.debian.org/php-team/pear/phpunit
Homepage: https://phpunit.de/
diff -Nru phpunit-11.5.19/debian/gbp.conf phpunit-11.5.19/debian/gbp.conf
--- phpunit-11.5.19/debian/gbp.conf 2025-05-03 07:35:48.000000000 +0200
+++ phpunit-11.5.19/debian/gbp.conf 2026-01-29 06:09:18.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/11
+debian-branch = debian/trixie
filter = [ '.gitattributes', 'tools' ]
pristine-tar = True
upstream-branch = upstream-11
diff -Nru phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch
--- phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 2026-01-29 06:09:18.000000000 +0100
@@ -0,0 +1,158 @@
+From: Sebastian Bergmann <[email protected]>
+Date: Mon, 26 Jan 2026 17:37:32 +0100
+Subject: Do not run PHPT test when its temporary file for code coverage
+ information exists
+
+Origin: backport, https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda
+Bug: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-24765
+---
+ .../Exception/CodeCoverageFileExistsException.php | 21 +++++++++++++++
+ src/Runner/PHPT/PhptTestCase.php | 31 +++++++++++++++++++++-
+ .../_files/phpt-coverage-file-exists/test.coverage | 0
+ .../_files/phpt-coverage-file-exists/test.phpt | 7 +++++
+ .../end-to-end/phpt/phpt-coverage-file-exists.phpt | 21 +++++++++++++++
+ 5 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 src/Runner/Exception/CodeCoverageFileExistsException.php
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+ create mode 100644 tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+
+diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php
+new file mode 100644
+index 0000000..3ffde5b
+--- /dev/null
++++ b/src/Runner/Exception/CodeCoverageFileExistsException.php
+@@ -0,0 +1,21 @@
++<?php declare(strict_types=1);
++/*
++ * This file is part of PHPUnit.
++ *
++ * (c) Sebastian Bergmann <[email protected]>
++ *
++ * For the full copyright and license information, please view the LICENSE
++ * file that was distributed with this source code.
++ */
++namespace PHPUnit\Runner;
++
++use RuntimeException;
++
++/**
++ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit
++ *
++ * @internal This class is not covered by the backward compatibility promise for PHPUnit
++ */
++final class CodeCoverageFileExistsException extends RuntimeException implements Exception
++{
++}
+diff --git a/src/Runner/PHPT/PhptTestCase.php b/src/Runner/PHPT/PhptTestCase.php
+index 2ebdad2..30fe331 100644
+--- a/src/Runner/PHPT/PhptTestCase.php
++++ b/src/Runner/PHPT/PhptTestCase.php
+@@ -20,6 +20,7 @@ use function dirname;
+ use function explode;
+ use function extension_loaded;
+ use function file;
++use function file_exists;
+ use function file_get_contents;
+ use function file_put_contents;
+ use function is_array;
+@@ -34,6 +35,7 @@ use function preg_replace;
+ use function preg_split;
+ use function realpath;
+ use function rtrim;
++use function sprintf;
+ use function str_contains;
+ use function str_replace;
+ use function str_starts_with;
+@@ -93,6 +95,8 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+ public function __construct(string $filename)
+ {
+ $this->filename = $filename;
++
++ $this->ensureCoverageFileDoesNotExist();
+ }
+
+ /**
+@@ -784,7 +788,14 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+ }
+
+ if ($buffer !== false) {
+- $coverage = @unserialize($buffer);
++ $coverage = @unserialize(
++ $buffer,
++ [
++ 'allowed_classes' => [
++ RawCodeCoverageData::class,
++ ],
++ ],
++ );
+
+ if ($coverage === false) {
+ /**
+@@ -987,4 +998,22 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+
+ return $settings;
+ }
++
++ /**
++ * @throws CodeCoverageFileExistsException
++ */
++ private function ensureCoverageFileDoesNotExist(): void
++ {
++ $files = $this->coverageFiles();
++
++ if (file_exists($files['coverage'])) {
++ throw new CodeCoverageFileExistsException(
++ sprintf(
++ 'File %s exists, PHPT test %s will not be executed',
++ $files['coverage'],
++ $this->filename,
++ ),
++ );
++ }
++ }
+ }
+diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+new file mode 100644
+index 0000000..e69de29
+diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+new file mode 100644
+index 0000000..0a5b252
+--- /dev/null
++++ b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+@@ -0,0 +1,7 @@
++--TEST--
++test
++--FILE--
++<?php declare(strict_types=1);
++print 'test';
++--EXPECT--
++test
+diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+new file mode 100644
+index 0000000..05346c4
+--- /dev/null
++++ b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Error when code coverage file exists
++--FILE--
++<?php declare(strict_types=1);
++$_SERVER['argv'][] = '--do-not-cache-result';
++$_SERVER['argv'][] = '--no-configuration';
++$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
++
++require_once __DIR__ . '/../../bootstrap.php';
++
++(new PHPUnit\TextUI\Application)->run($_SERVER['argv']);
++--EXPECTF--
++PHPUnit %s by Sebastian Bergmann and contributors.
++
++Runtime: %s
++
++There was 1 PHPUnit test runner warning:
++
++1) File %stest.coverage exists, PHPT test %stest.phpt will not be executed
++
++No tests executed!
diff -Nru phpunit-11.5.19/debian/patches/series phpunit-11.5.19/debian/patches/series
--- phpunit-11.5.19/debian/patches/series 2025-05-03 07:36:00.000000000 +0200
+++ phpunit-11.5.19/debian/patches/series 2026-01-29 06:09:18.000000000 +0100
@@ -1,3 +1,5 @@
0001-Remove-Composer-autoload.patch
0002-schema-is-installed-in-usr-share-php-data-PHPUnit.patch
0003-Use-mimicked-install-path.patch
+0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch
+# DEP-8/Use-system-path.patch
diff -Nru phpunit-11.5.19/debian/rules phpunit-11.5.19/debian/rules
--- phpunit-11.5.19/debian/rules 2025-05-03 07:35:48.000000000 +0200
+++ phpunit-11.5.19/debian/rules 2026-01-29 06:09:18.000000000 +0100
@@ -111,6 +111,9 @@
# Mimic phpunit.xsd path
ln -rs . mimic/share/php/data/PHPUnit
+ # Workaround empty file not added by patch
+ touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+
override_dh_auto_clean:
override_dh_auto_test:
diff -Nru phpunit-11.5.19/debian/tests/phpunit phpunit-11.5.19/debian/tests/phpunit
--- phpunit-11.5.19/debian/tests/phpunit 2025-05-03 07:35:48.000000000 +0200
+++ phpunit-11.5.19/debian/tests/phpunit 2026-01-29 06:09:18.000000000 +0100
@@ -88,6 +88,10 @@
--exclude tests/end-to-end/_files/force-covers-annotation/tests/Test.php \
--exclude tests/end-to-end/_files/phar-extension/tests/Test.php \
--exclude tests/_files/AlternativeSuffixTest.test.php tests
+
+# Workaround empty file not added by patch
+touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+
phpunit --display-skipped
exit=$?
patch -Rp1 < debian/patches/DEP-8/Use-system-path.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
