Re: PHP5 status
On 12/02/2019 15:44, Roberto C. Sánchez wrote: > On Tue, Feb 12, 2019 at 07:44:41AM +0530, Abhijith PA wrote: >> >> That was very stupid of me. I was working on CVE-2018-1000888 in >> php-pear and this ships via php5 in jessie. I didn't noticed php5 >> already entered dla-needed.txt and I went directly changing php-pear to >> php5. Anyway I release DLA for my upload. >> > No worries, we all make mistakes :-) > > It took me several tries to figure out why the 5.6.40 build failed after > incorporating your change, but I was able to determine that the change > introduced by your patch is now included upstream. I have an updated > 5.6.40 build ready and I was waiting on the assignment of CVEs by > upstream. > > I wonder if it would make more sense to go ahead with uploading 5.6.40 > and publish a revision to the DLA, or whether I should continue to wait > on the CVE assignments. Thoughts? I would publish it now, saying in the DLA that CVE assignment is pending, see e.g. the new flatpak DSA. Then once the CVEs are assigned, you just add them to the DLA entry in data/DLA/list, and you're done. Cheers, Emilio
Re: PHP5 status
On Tuesday 12 February 2019 09:36 PM, Roberto C. Sánchez wrote: > I did a fresh build and uploaded them here: > https://people.debian.org/~roberto/ This is enough, thanks. > I don't have a Salsa or other remote Git repository setup, as I just > work locally. --abhijith
Re: PHP5 status
On Tue, Feb 12, 2019 at 08:22:08PM +0530, Abhijith PA wrote: > > > On Tuesday 12 February 2019 08:14 PM, Roberto C. Sánchez wrote: > > .. > > It took me several tries to figure out why the 5.6.40 build failed after > > incorporating your change, but I was able to determine that the change > > introduced by your patch is now included upstream. I have an updated > > 5.6.40 build ready and I was waiting on the assignment of CVEs by > > upstream. > > Can you push your updated php 5.6.40 somewhere. I like to take a look. > I did a fresh build and uploaded them here: https://people.debian.org/~roberto/ I don't have a Salsa or other remote Git repository setup, as I just work locally. Regards, -Roberto -- Roberto C. Sánchez
Re: PHP5 status
On Tuesday 12 February 2019 08:14 PM, Roberto C. Sánchez wrote: .. > It took me several tries to figure out why the 5.6.40 build failed after > incorporating your change, but I was able to determine that the change > introduced by your patch is now included upstream. I have an updated > 5.6.40 build ready and I was waiting on the assignment of CVEs by > upstream. Can you push your updated php 5.6.40 somewhere. I like to take a look. -a
Re: PHP5 status
On Tue, Feb 12, 2019 at 07:44:41AM +0530, Abhijith PA wrote: > > That was very stupid of me. I was working on CVE-2018-1000888 in > php-pear and this ships via php5 in jessie. I didn't noticed php5 > already entered dla-needed.txt and I went directly changing php-pear to > php5. Anyway I release DLA for my upload. > No worries, we all make mistakes :-) It took me several tries to figure out why the 5.6.40 build failed after incorporating your change, but I was able to determine that the change introduced by your patch is now included upstream. I have an updated 5.6.40 build ready and I was waiting on the assignment of CVEs by upstream. I wonder if it would make more sense to go ahead with uploading 5.6.40 and publish a revision to the DLA, or whether I should continue to wait on the CVE assignments. Thoughts? Regards, -Roberto -- Roberto C. Sánchez
Re: PHP5 status
Hi Markus and Roberto On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote: > Hello, > > I noticed that both of you work on PHP5. Please coordinate the next > upload. We should package version 5.6.40 which will fix all known > issues. I have contacted secur...@php.net and they confirmed to me that > they will assign new CVE numbers shortly. That was very stupid of me. I was working on CVE-2018-1000888 in php-pear and this ships via php5 in jessie. I didn't noticed php5 already entered dla-needed.txt and I went directly changing php-pear to php5. Anyway I release DLA for my upload. --abhijith diff -Nru php5-5.6.39+dfsg/debian/changelog php5-5.6.39+dfsg/debian/changelog --- php5-5.6.39+dfsg/debian/changelog 2018-12-17 02:58:06.0 +0530 +++ php5-5.6.39+dfsg/debian/changelog 2019-02-11 17:49:14.0 +0530 @@ -1,3 +1,12 @@ +php5 (5.6.39+dfsg-0+deb8u2) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2018-1000888: CWE-915 vulnerability in the Archive_Tar class +of php-pear +- Update d/rules to accomodate new patch + + -- Abhijith PA Mon, 11 Feb 2019 17:38:14 +0530 + php5 (5.6.39+dfsg-0+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch --- php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 1970-01-01 05:30:00.0 +0530 +++ php5-5.6.39+dfsg/debian/PEAR-CVE-2018-1000888.patch 2019-02-11 17:32:34.0 +0530 @@ -0,0 +1,20 @@ +Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888 +Bug-Debian: https://bugs.debian.org/919147 +Bug: https://pear.php.net/bugs/bug.php?id=23782 +Author: Abhijith PA +Index: Archive/Tar.php +=== +--- a/Archive/Tar.php b/Archive/Tar.php +@@ -1767,6 +1767,10 @@ class Archive_Tar extends PEAR + */ + private function _maliciousFilename($file) + { ++if (strpos($file, 'phar://') === 0) { ++return true; ++} ++ + if (strpos($file, '/../') !== false) { + return true; + } diff -Nru php5-5.6.39+dfsg/debian/rules php5-5.6.39+dfsg/debian/rules --- php5-5.6.39+dfsg/debian/rules 2018-12-17 02:58:06.0 +0530 +++ php5-5.6.39+dfsg/debian/rules 2019-02-11 17:35:43.0 +0530 @@ -279,6 +279,7 @@ $(CURDIR)/pear-build/usr/bin/peardev sed -i -re "s#('PEAR_CONFIG_SYSCONFDIR', PHP_SYSCONFDIR)#\1 . '/pear'#" $(CURDIR)/pear-build/usr/share/php/PEAR/Config.php patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-Builder-print-info-about-php5-dev.patch + patch -s -d $(CURDIR)/pear-build/usr/share/php/ -p1 -i $(CURDIR)/debian/PEAR-CVE-2018-1000888.patch touch build-pear-stamp configure: configure-apache2-stamp configure-apache2filter-stamp configure-cli-stamp configure-phpdbg-stamp configure-embed-stamp configure-fpm-stamp configure-cgi-stamp
Re: PHP5 status
Hi Markus & Salvatore, sorry for not updating PHP 5 in jessie in time. This will now have to be handled by Debian LTS time, I don’t have any spare cycles to care about Debian LTS. Cheers, Ondrej -- Ondřej Surý ond...@sury.org > On 21 Jun 2018, at 20:21, Salvatore Bonaccorso wrote: > > Hi Markus, > > [replying in two parts repsecitvely] > > On Thu, Jun 21, 2018 at 04:24:20PM +0200, Markus Koschany wrote: >> Hello, >> >> a few weeks ago I asked you about the status of PHP5 in Jessie and I got >> the response that someone was already working on it. Do you still plan >> to release the PHP5 update for Jessie? Who is actually working on it? > > This was the maintainer Ondřej Surý , but he did not > finalize the update before 17th, so it's to late for us already for > the regular security-support. You might want to check with him if he > is willing to finalize it now for LTS or wants to hand it over. I'm > cc'ing Ondrej. > > Regards, > Salvatore