Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:phpunit User: [email protected] Usertags: pu
Hi, As agreed with the security team, I’d like to get CVE-2026-24765 fixed via a point release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance for considering. Regards, taffit
diff -Nru phpunit-11.5.19/debian/changelog phpunit-11.5.19/debian/changelog --- phpunit-11.5.19/debian/changelog 2025-05-03 07:36:49.000000000 +0200 +++ phpunit-11.5.19/debian/changelog 2026-01-29 06:09:18.000000000 +0100 @@ -1,3 +1,11 @@ +phpunit (11.5.19-1+deb13u1) trixie; urgency=medium + + * Track debian/trixie + * Fix Unsafe Deserialization in PHPT Code Coverage Handling [CVE-2026-24765] + * Workaround empty file not added by patch + + -- David Prévot <[email protected]> Thu, 29 Jan 2026 06:09:18 +0100 + phpunit (11.5.19-1) unstable; urgency=medium [ Sebastian Bergmann ] diff -Nru phpunit-11.5.19/debian/clean phpunit-11.5.19/debian/clean --- phpunit-11.5.19/debian/clean 2025-05-03 07:35:48.000000000 +0200 +++ phpunit-11.5.19/debian/clean 2026-01-29 06:09:18.000000000 +0100 @@ -7,6 +7,7 @@ tests/_files/.phpunit.result.cache tests/_files/*/.phpunit.result.cache tests/basic/.phpunit.result.cache +tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage tests/end-to-end/force-covers-annotation/.phpunit.result.cache tests/end-to-end/*/*/.phpunit.result.cache tests/end-to-end/regression/GitHub/*/.phpunit.result.cache diff -Nru phpunit-11.5.19/debian/control phpunit-11.5.19/debian/control --- phpunit-11.5.19/debian/control 2025-05-03 07:35:48.000000000 +0200 +++ phpunit-11.5.19/debian/control 2026-01-29 06:09:18.000000000 +0100 @@ -27,7 +27,7 @@ phpunit-type (>= 5) Standards-Version: 4.7.2 Rules-Requires-Root: no -Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/11 +Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/trixie Vcs-Browser: https://salsa.debian.org/php-team/pear/phpunit Homepage: https://phpunit.de/ diff -Nru phpunit-11.5.19/debian/gbp.conf phpunit-11.5.19/debian/gbp.conf --- phpunit-11.5.19/debian/gbp.conf 2025-05-03 07:35:48.000000000 +0200 +++ phpunit-11.5.19/debian/gbp.conf 2026-01-29 06:09:18.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/11 +debian-branch = debian/trixie filter = [ '.gitattributes', 'tools' ] pristine-tar = True upstream-branch = upstream-11 diff -Nru phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch --- phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 2026-01-29 06:09:18.000000000 +0100 @@ -0,0 +1,158 @@ +From: Sebastian Bergmann <[email protected]> +Date: Mon, 26 Jan 2026 17:37:32 +0100 +Subject: Do not run PHPT test when its temporary file for code coverage + information exists + +Origin: backport, https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda +Bug: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-24765 +--- + .../Exception/CodeCoverageFileExistsException.php | 21 +++++++++++++++ + src/Runner/PHPT/PhptTestCase.php | 31 +++++++++++++++++++++- + .../_files/phpt-coverage-file-exists/test.coverage | 0 + .../_files/phpt-coverage-file-exists/test.phpt | 7 +++++ + .../end-to-end/phpt/phpt-coverage-file-exists.phpt | 21 +++++++++++++++ + 5 files changed, 79 insertions(+), 1 deletion(-) + create mode 100644 src/Runner/Exception/CodeCoverageFileExistsException.php + create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage + create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt + create mode 100644 tests/end-to-end/phpt/phpt-coverage-file-exists.phpt + +diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php +new file mode 100644 +index 0000000..3ffde5b +--- /dev/null ++++ b/src/Runner/Exception/CodeCoverageFileExistsException.php +@@ -0,0 +1,21 @@ ++<?php declare(strict_types=1); ++/* ++ * This file is part of PHPUnit. ++ * ++ * (c) Sebastian Bergmann <[email protected]> ++ * ++ * For the full copyright and license information, please view the LICENSE ++ * file that was distributed with this source code. ++ */ ++namespace PHPUnit\Runner; ++ ++use RuntimeException; ++ ++/** ++ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit ++ * ++ * @internal This class is not covered by the backward compatibility promise for PHPUnit ++ */ ++final class CodeCoverageFileExistsException extends RuntimeException implements Exception ++{ ++} +diff --git a/src/Runner/PHPT/PhptTestCase.php b/src/Runner/PHPT/PhptTestCase.php +index 2ebdad2..30fe331 100644 +--- a/src/Runner/PHPT/PhptTestCase.php ++++ b/src/Runner/PHPT/PhptTestCase.php +@@ -20,6 +20,7 @@ use function dirname; + use function explode; + use function extension_loaded; + use function file; ++use function file_exists; + use function file_get_contents; + use function file_put_contents; + use function is_array; +@@ -34,6 +35,7 @@ use function preg_replace; + use function preg_split; + use function realpath; + use function rtrim; ++use function sprintf; + use function str_contains; + use function str_replace; + use function str_starts_with; +@@ -93,6 +95,8 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + public function __construct(string $filename) + { + $this->filename = $filename; ++ ++ $this->ensureCoverageFileDoesNotExist(); + } + + /** +@@ -784,7 +788,14 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + } + + if ($buffer !== false) { +- $coverage = @unserialize($buffer); ++ $coverage = @unserialize( ++ $buffer, ++ [ ++ 'allowed_classes' => [ ++ RawCodeCoverageData::class, ++ ], ++ ], ++ ); + + if ($coverage === false) { + /** +@@ -987,4 +998,22 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + + return $settings; + } ++ ++ /** ++ * @throws CodeCoverageFileExistsException ++ */ ++ private function ensureCoverageFileDoesNotExist(): void ++ { ++ $files = $this->coverageFiles(); ++ ++ if (file_exists($files['coverage'])) { ++ throw new CodeCoverageFileExistsException( ++ sprintf( ++ 'File %s exists, PHPT test %s will not be executed', ++ $files['coverage'], ++ $this->filename, ++ ), ++ ); ++ } ++ } + } +diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt +new file mode 100644 +index 0000000..0a5b252 +--- /dev/null ++++ b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt +@@ -0,0 +1,7 @@ ++--TEST-- ++test ++--FILE-- ++<?php declare(strict_types=1); ++print 'test'; ++--EXPECT-- ++test +diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt +new file mode 100644 +index 0000000..05346c4 +--- /dev/null ++++ b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt +@@ -0,0 +1,21 @@ ++--TEST-- ++Error when code coverage file exists ++--FILE-- ++<?php declare(strict_types=1); ++$_SERVER['argv'][] = '--do-not-cache-result'; ++$_SERVER['argv'][] = '--no-configuration'; ++$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt'); ++ ++require_once __DIR__ . '/../../bootstrap.php'; ++ ++(new PHPUnit\TextUI\Application)->run($_SERVER['argv']); ++--EXPECTF-- ++PHPUnit %s by Sebastian Bergmann and contributors. ++ ++Runtime: %s ++ ++There was 1 PHPUnit test runner warning: ++ ++1) File %stest.coverage exists, PHPT test %stest.phpt will not be executed ++ ++No tests executed! diff -Nru phpunit-11.5.19/debian/patches/series phpunit-11.5.19/debian/patches/series --- phpunit-11.5.19/debian/patches/series 2025-05-03 07:36:00.000000000 +0200 +++ phpunit-11.5.19/debian/patches/series 2026-01-29 06:09:18.000000000 +0100 @@ -1,3 +1,5 @@ 0001-Remove-Composer-autoload.patch 0002-schema-is-installed-in-usr-share-php-data-PHPUnit.patch 0003-Use-mimicked-install-path.patch +0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch +# DEP-8/Use-system-path.patch diff -Nru phpunit-11.5.19/debian/rules phpunit-11.5.19/debian/rules --- phpunit-11.5.19/debian/rules 2025-05-03 07:35:48.000000000 +0200 +++ phpunit-11.5.19/debian/rules 2026-01-29 06:09:18.000000000 +0100 @@ -111,6 +111,9 @@ # Mimic phpunit.xsd path ln -rs . mimic/share/php/data/PHPUnit + # Workaround empty file not added by patch + touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage + override_dh_auto_clean: override_dh_auto_test: diff -Nru phpunit-11.5.19/debian/tests/phpunit phpunit-11.5.19/debian/tests/phpunit --- phpunit-11.5.19/debian/tests/phpunit 2025-05-03 07:35:48.000000000 +0200 +++ phpunit-11.5.19/debian/tests/phpunit 2026-01-29 06:09:18.000000000 +0100 @@ -88,6 +88,10 @@ --exclude tests/end-to-end/_files/force-covers-annotation/tests/Test.php \ --exclude tests/end-to-end/_files/phar-extension/tests/Test.php \ --exclude tests/_files/AlternativeSuffixTest.test.php tests + +# Workaround empty file not added by patch +touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage + phpunit --display-skipped exit=$? patch -Rp1 < debian/patches/DEP-8/Use-system-path.patch
signature.asc
Description: PGP signature
