Package: php7.3-mbstring
Version: 7.3.11-1~deb10u1
Severity: important
Tags: security
Hi,
While working on recent libonig vulnerabilities, I noticed that PHP does not
link it anymore, despite using it as a build-dependency:
$ ldd /usr/lib/php/20180731/mbstring.so
linux-vdso.so.1 (0x00007ffe463ed000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5a84ef1000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5a85270000)
AFAICS the package uses the embedded copy from ext/mbstring/oniguruma/ ; using
Debian's version would involve passing --with-onig=DIR to the configure script.
It seems this was introduced during a refactoring for 7.0.0-rc1-1
https://lists.debian.org/debian-security/2019/11/msg00020.html
See https://wiki.debian.org/EmbeddedCodeCopies for further information.
Cheers!
Sylvain
