Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:phpunit User: [email protected] Usertags: pu
[ This is the counterpart of #1126796 for trixie ] Hi, As agreed with the security team, I’d like to get CVE-2026-24765 fixed via a point release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance for considering. Regards, taffit
diff -Nru phpunit-9.6.7/debian/changelog phpunit-9.6.7/debian/changelog --- phpunit-9.6.7/debian/changelog 2023-04-15 08:00:46.000000000 +0200 +++ phpunit-9.6.7/debian/changelog 2026-01-29 08:02:08.000000000 +0100 @@ -1,3 +1,11 @@ +phpunit (9.6.7-1+deb12u1) bookworm; urgency=medium + + * Track debian/bookworm-security + * Fix Unsafe Deserialization in PHPT Code Coverage Handling [CVE-2026-24765] + * Workaround empty file not added by patch + + -- David Prévot <[email protected]> Thu, 29 Jan 2026 08:02:08 +0100 + phpunit (9.6.7-1) unstable; urgency=medium [ Sebastian Bergmann ] diff -Nru phpunit-9.6.7/debian/clean phpunit-9.6.7/debian/clean --- phpunit-9.6.7/debian/clean 2022-06-18 15:37:38.000000000 +0200 +++ phpunit-9.6.7/debian/clean 2026-01-29 08:02:08.000000000 +0100 @@ -8,6 +8,7 @@ tests/_files/.phpunit.result.cache tests/_files/*/.phpunit.result.cache tests/basic/.phpunit.result.cache +tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage tests/end-to-end/force-covers-annotation/.phpunit.result.cache tests/end-to-end/*/*/.phpunit.result.cache tests/end-to-end/regression/GitHub/*/.phpunit.result.cache diff -Nru phpunit-9.6.7/debian/control phpunit-9.6.7/debian/control --- phpunit-9.6.7/debian/control 2023-03-30 07:29:42.000000000 +0200 +++ phpunit-9.6.7/debian/control 2026-01-29 08:02:08.000000000 +0100 @@ -28,7 +28,7 @@ pkg-php-tools (>= 1.41~) Standards-Version: 4.6.2 Rules-Requires-Root: no -Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/bookworm +Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/bookworm-security Vcs-Browser: https://salsa.debian.org/php-team/pear/phpunit Homepage: https://phpunit.de/ diff -Nru phpunit-9.6.7/debian/gbp.conf phpunit-9.6.7/debian/gbp.conf --- phpunit-9.6.7/debian/gbp.conf 2023-03-30 07:29:42.000000000 +0200 +++ phpunit-9.6.7/debian/gbp.conf 2026-01-29 08:02:08.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/bookworm +debian-branch = debian/bookworm-security filter = [ '.gitattributes', 'tools' ] pristine-tar = True upstream-branch = upstream-9 diff -Nru phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch --- phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch 2026-01-29 08:02:08.000000000 +0100 @@ -0,0 +1,142 @@ +From: Sebastian Bergmann <[email protected]> +Date: Mon, 26 Jan 2026 17:37:32 +0100 +Subject: Do not run PHPT test when its temporary file for code coverage + information exists + +Origin: backport, https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda +Bug: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-24765 +--- + src/Runner/PhptTestCase.php | 57 ++++++++++++++++++---- + .../_files/phpt-coverage-file-exists/test.coverage | 0 + .../_files/phpt-coverage-file-exists/test.phpt | 7 +++ + .../end-to-end/phpt/phpt-coverage-file-exists.phpt | 13 +++++ + 4 files changed, 67 insertions(+), 10 deletions(-) + create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage + create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt + create mode 100644 tests/end-to-end/phpt/phpt-coverage-file-exists.phpt + +diff --git a/src/Runner/PhptTestCase.php b/src/Runner/PhptTestCase.php +index 6590102..c9edd42 100644 +--- a/src/Runner/PhptTestCase.php ++++ b/src/Runner/PhptTestCase.php +@@ -19,6 +19,7 @@ use function dirname; + use function explode; + use function extension_loaded; + use function file; ++use function file_exists; + use function file_get_contents; + use function file_put_contents; + use function is_array; +@@ -87,17 +88,13 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + */ + public function __construct(string $filename, AbstractPhpProcess $phpUtil = null) + { +- if (!is_file($filename)) { +- throw new Exception( +- sprintf( +- 'File "%s" does not exist.', +- $filename +- ) +- ); +- } ++ $this->ensureFileExists($filename); + + $this->filename = $filename; +- $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory(); ++ ++ $this->ensureCoverageFileDoesNotExist(); ++ ++ $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory(); + } + + /** +@@ -655,7 +652,14 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + $buffer = @file_get_contents($files['coverage']); + + if ($buffer !== false) { +- $coverage = @unserialize($buffer); ++ $coverage = @unserialize( ++ $buffer, ++ [ ++ 'allowed_classes' => [ ++ RawCodeCoverageData::class, ++ ], ++ ], ++ ); + + if ($coverage === false) { + $coverage = RawCodeCoverageData::fromXdebugWithoutPathCoverage([]); +@@ -861,4 +865,37 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test + + return $settings; + } ++ ++ /** ++ * @throws Exception ++ */ ++ private function ensureFileExists(string $filename): void ++ { ++ if (!is_file($filename)) { ++ throw new Exception( ++ sprintf( ++ 'File "%s" does not exist.', ++ $filename, ++ ), ++ ); ++ } ++ } ++ ++ /** ++ * @throws Exception ++ */ ++ private function ensureCoverageFileDoesNotExist(): void ++ { ++ $files = $this->getCoverageFiles(); ++ ++ if (file_exists($files['coverage'])) { ++ throw new Exception( ++ sprintf( ++ 'File %s exists, PHPT test %s will not be executed', ++ $files['coverage'], ++ $this->filename, ++ ), ++ ); ++ } ++ } + } +diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt +new file mode 100644 +index 0000000..0a5b252 +--- /dev/null ++++ b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt +@@ -0,0 +1,7 @@ ++--TEST-- ++test ++--FILE-- ++<?php declare(strict_types=1); ++print 'test'; ++--EXPECT-- ++test +diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt +new file mode 100644 +index 0000000..c05438b +--- /dev/null ++++ b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Error when code coverage file exists ++--FILE-- ++<?php declare(strict_types=1); ++$_SERVER['argv'][] = '--do-not-cache-result'; ++$_SERVER['argv'][] = '--no-configuration'; ++$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt'); ++ ++require_once __DIR__ . '/../../bootstrap.php'; ++ ++PHPUnit\TextUI\Command::main(); ++--EXPECTF-- ++Fatal error: Uncaught PHPUnit\Runner\Exception: File %stest.coverage exists, PHPT test %stest.phpt will not be executed%A diff -Nru phpunit-9.6.7/debian/patches/series phpunit-9.6.7/debian/patches/series --- phpunit-9.6.7/debian/patches/series 2023-04-15 07:58:07.000000000 +0200 +++ phpunit-9.6.7/debian/patches/series 2026-01-29 08:02:08.000000000 +0100 @@ -1,3 +1,4 @@ 0001-Remove-Composer-autoload.patch 0002-schema-is-installed-in-usr-share-php-data-PHPUnit.patch 0003-Default-cache-location-to-current-directory.patch +0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch diff -Nru phpunit-9.6.7/debian/rules phpunit-9.6.7/debian/rules --- phpunit-9.6.7/debian/rules 2023-03-30 07:29:42.000000000 +0200 +++ phpunit-9.6.7/debian/rules 2026-01-29 08:02:08.000000000 +0100 @@ -35,6 +35,9 @@ # Mimic phpunit.xsd path ln -s .. data/PHPUnit + # Workaround empty file not added by patch + touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage + override_dh_auto_clean: override_dh_auto_test: diff -Nru phpunit-9.6.7/debian/tests/control phpunit-9.6.7/debian/tests/control --- phpunit-9.6.7/debian/tests/control 2023-03-30 07:29:42.000000000 +0200 +++ phpunit-9.6.7/debian/tests/control 2026-01-29 08:02:08.000000000 +0100 @@ -1,3 +1,3 @@ -Test-Command: mkdir -p vendor && phpabtpl --require phpunit/phpunit --require-file ../tests/_files/CoverageNamespacedFunctionTest.php --require-file ../tests/_files/CoveredFunction.php --require-file ../tests/_files/NamespaceCoveredFunction.php > debian/autoload.tests.php.tpl && phpab --output vendor/autoload.php --template debian/autoload.tests.php.tpl --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/src/Greeter.php --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/tests/GreeterTest.php --exclude tests/end-to-end/regression/2448/Test.php --exclude tests/end-to-end/regression/4376/tests/Test.php tests && phpunit +Test-Command: mkdir -p vendor && phpabtpl --require phpunit/phpunit --require-file ../tests/_files/CoverageNamespacedFunctionTest.php --require-file ../tests/_files/CoveredFunction.php --require-file ../tests/_files/NamespaceCoveredFunction.php > debian/autoload.tests.php.tpl && phpab --output vendor/autoload.php --template debian/autoload.tests.php.tpl --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/src/Greeter.php --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/tests/GreeterTest.php --exclude tests/end-to-end/regression/2448/Test.php --exclude tests/end-to-end/regression/4376/tests/Test.php tests && touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage && phpunit Restrictions: rw-build-tree, allow-stderr Depends: php-soap, phpab, pkg-php-tools (>= 1.41~), @
signature.asc
Description: PGP signature
