I see in 'embedded-code-copies':
 libonig
    - php5 5.3.2-1 (embed)
(i.e. from 2010)
Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5).
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.
There are various vulnerabilities affected libonig at the moment, some properly reported against libonig, some against PHP (e.g. https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?
On 25 Nov 2019, at 15:20, Salvatore Bonaccorso <carnil@debian.org> wrote:
Hi,
On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:
Hi,
On 22/11/2019 21:23, Sylvain Beucler wrote:
I see in 'embedded-code-copies':
libonig
- php5 5.3.2-1 (embed)
(i.e. from 2010)
Jessie seems to properly link to libonig (dependency of e.g.
libapache2-mod-php5).
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy >>> is used.
There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?
Ping?
AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.
Should I file a bug against php7.0&php7.3 to clarify?
This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?
[1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089
Regards,
Salvatore
Hi,
On 22/11/2019 21:23, Sylvain Beucler wrote:
I see in 'embedded-code-copies':
libonig
- php5 5.3.2-1 (embed)
(i.e. from 2010)
Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5).
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.
There are various vulnerabilities affected libonig at the moment, some properly reported against libonig, some against PHP (e.g. https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?
Ping?
AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.
Should I file a bug against php7.0&php7.3 to clarify?
On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:(Somehow I thought this was a documented exception, while this is the
On 22/11/2019 21:23, Sylvain Beucler wrote:
I see in 'embedded-code-copies':
 libonig
    - php5 5.3.2-1 (embed)
(i.e. from 2010)
This seem to have been an explicit decision in e4ca1ccf8cd0 ("DisableJessie seems to properly link to libonig (dependency of e.g.Ping?
libapache2-mod-php5).
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy >>> is used.
There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?
AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.
Should I file a bug against php7.0&php7.3 to clarify?
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?
[1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 226:47:23 |
Calls: | 6,624 |
Calls today: | 6 |
Files: | 12,171 |
Messages: | 5,318,701 |