Hi,

I see in 'embedded-code-copies':

  libonig
      - php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.

There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g. https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Cheers!
Sylvain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 22/11/2019 21:23, Sylvain Beucler wrote:

I see in 'embedded-code-copies':

  libonig
      - php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.

There are various vulnerabilities affected libonig at the moment, some properly reported against libonig, some against PHP (e.g. https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Ping?

AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.

Should I file a bug against php7.0&php7.3 to clarify?

Cheers!
Sylvain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--Apple-Mail=_88AF428C-EFF4-45B9-B014-FFDC7B265C93
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii

Hi,

On 25 Nov 2019, at 15:20, Salvatore Bonaccorso <carnil@debian.org> wrote:

Hi,

On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:

Hi,

On 22/11/2019 21:23, Sylvain Beucler wrote:

I see in 'embedded-code-copies':

libonig
- php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g.
libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy >>> is used.

There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Ping?

AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.

Should I file a bug against php7.0&php7.3 to clarify?

This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?

[1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089

Regards,
Salvatore

--Apple-Mail=_88AF428C-EFF4-45B9-B014-FFDC7B265C93
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii

<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class=""><div dir="auto" style="caret-color: rgb(0, 0,
0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-
width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0,
0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"></div></div></div></div></div>
</div>
<div style=""><br class=""><blockquote type="cite" class=""><div class="">On 25 Nov 2019, at 15:20, Salvatore Bonaccorso &lt;<a href="mailto:carnil@debian.org" class="">carnil@debian.org</a>&gt; wrote:</div><br class="Apple-interchange-newline"><div
class=""><div class="">Hi,<br class=""><br class="">On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:<br class=""><blockquote type="cite" class="">Hi,<br class=""><br class="">On 22/11/2019 21:23, Sylvain Beucler wrote:<br class=""><
blockquote type="cite" class="">I see in 'embedded-code-copies':<br class=""><br class="">&nbsp; libonig<br class="">&nbsp;&nbsp; &nbsp;&nbsp; - php5 5.3.2-1 (embed)<br class=""><br class="">(i.e. from 2010)<br class=""><br class="">Jessie seems to
properly link to libonig (dependency of e.g.<br class="">libapache2-mod-php5).<br class=""><br class="">Stretch and Buster however (probably since the new phpX.X-mbstring<br class="">package) do not link libonig anymore, despite build-depending on it, so<
br class="">I assume the library is either statically linked, or PHP's embedded copy<br class="">is used.<br class=""><br class="">There are various vulnerabilities affected libonig at the moment, some<br class="">properly reported against libonig, some
against PHP (e.g.<br class=""><a href="https://bugs.php.net/bug.php?id=78559" class="">https://bugs.php.net/bug.php?id=78559</a> - I just requested a CVE).<br class=""><br class="">Do you know what the current situation is supposed to be?<br class=""></
blockquote><br class="">Ping?<br class=""><br class="">AFAICS there's no --with-onig in the build process which means PHP is<br class="">using an embedded copy of libonig for Stretch &amp; Buster.<br class=""><br class="">Should I file a bug against php7.
0&amp;php7.3 to clarify?<br class=""></blockquote><br class="">This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable<br class="">all extensions with --disable-all and remove the various configure<br class="">options related to disabling
the extensions")[1] apparently in<br class="">debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?<br class=""><br class=""> [1] <a href="https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089" class="">https://
salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089</a><br class=""><br class="">Regards,<br class="">Salvatore<br class=""><br class=""></div></div></blockquote></div><br class=""></body></html>
--Apple-Mail=_88AF428C-EFF4-45B9-B014-FFDC7B265C93--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8WdjM4eVTFwijlIr7UUbwBknStoFAl3b6IQACgkQ7UUbwBkn StppAhAArLv+GC/DzD8qUwmCx+dERiwlTgicWLRRJ08fCqLfcxjMtAubWgx9i+Mp smLtraBUSBDluvzOSGKF1ILl17tkqa9bbbDCoDwfn5zLmM/mSlhQ6ifUkt6R/ewR 3VY3C72ISU7YfHRKsLNDCVS1BLHU5AzplljHc87+GmuUnc254N+t8XF1/aAxlYS1 GTM03qM/g4F/ZDUt1CyOxKHpPhDyKuTj/TKAhTWEWu78TKi+9HRPMAkTPaPb+VCI UyL4th0PAaIQgzPlqnBCbyqTab8rJtebKhnDMZDem97elwnbJenMkX6IN+eKmr8f fX/G2Wj2b0iMn4WcwMPz21Fs9ADgWN0isT9B4MQxgG9cOUyNdnVhdAt/hNXGgS90 QR3kX/Wr7N/cqQCJ1gx7PGdJXYxycGimY/3QyVrf4MxkdT7624EU1xkHiXR3z7Yp fS5YTIYiNRbgyq1437C3J2upH89gxxlM9G+X9Db6LUUZvF2mUapO1gic0cx85l5Q mctbsrmfX4aTpik1Tv+njPe2YgsZkl8tvmIISxJ2vB/KaqJTae0OXUMpyf4aNG7R Yf8eWuPS2WFvJkT6qCxwcoFFNcXirTPNRIb7OGDd8gW92IE3D/RZAuhe0PRpTAxs K0RzW/ePluDkiJSvmnUVlSFruo4LoGTYd19tn85tkCsuhfo7CB0=
=Z9/0
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:

Hi,

On 22/11/2019 21:23, Sylvain Beucler wrote:

I see in 'embedded-code-copies':

  libonig
      - php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.

There are various vulnerabilities affected libonig at the moment, some properly reported against libonig, some against PHP (e.g. https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Ping?

AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.

Should I file a bug against php7.0&php7.3 to clarify?

This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?

[1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 25/11/2019 15:20, Salvatore Bonaccorso wrote:

On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:

On 22/11/2019 21:23, Sylvain Beucler wrote:

I see in 'embedded-code-copies':

  libonig
      - php5 5.3.2-1 (embed)

(i.e. from 2010)

(Somehow I thought this was a documented exception, while this is the
version where this was fixed.)

Jessie seems to properly link to libonig (dependency of e.g.
libapache2-mod-php5).

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy >>> is used.

There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?

Ping?

AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.

Should I file a bug against php7.0&php7.3 to clarify?

This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable
all extensions with --disable-all and remove the various configure
options related to disabling the extensions")[1] apparently in debian/7.0.0_rc1-1. Can you try to clarify with the maintainer?

[1] https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089

This seems to be the cause.
However this didn't affect phpx.x-sqlite, for instance, so it's probably
a refactoring bug.
I'll open a bug against php-7.0 and php-7.3.

Cheers!
Sylvain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)