Bug 199585 - [PATCH] [SECURITY] lang/php5*: updates to 5.6.8, 5.5.24, 5.4.40
Summary: [PATCH] [SECURITY] lang/php5*: updates to 5.6.8, 5.5.24, 5.4.40
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Alex Dupre
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2015-04-21 16:54 UTC by Franco Fichtner
Modified: 2015-05-22 22:15 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (ale)


Attachments
the actual diff ;) (871 bytes, patch)
2015-04-21 16:54 UTC, Franco Fichtner
no flags Details | Diff
svn diff for security/vuxml (2.28 KB, patch)
2015-04-25 14:45 UTC, Bernard Spil
no flags Details | Diff
svn diff for lang/php5 (948 bytes, patch)
2015-04-25 14:46 UTC, Bernard Spil
no flags Details | Diff
svn diff for lang/php55 (955 bytes, patch)
2015-04-25 14:47 UTC, Bernard Spil
no flags Details | Diff
svn diff for lang/php56 (2.38 KB, patch)
2015-04-25 17:43 UTC, Bernard Spil
no flags Details | Diff
svn diff for lang/php55 (2.38 KB, patch)
2015-04-25 17:44 UTC, Bernard Spil
no flags Details | Diff
svn diff for lang/php5 (2.36 KB, patch)
2015-04-25 17:45 UTC, Bernard Spil
no flags Details | Diff
security/vuxml correction (487 bytes, patch)
2015-04-26 13:03 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Fichtner 2015-04-21 16:54:50 UTC
Created attachment 155818 [details]
the actual diff ;)
Comment 1 Bernard Spil freebsd_committer 2015-04-25 14:45:51 UTC
Created attachment 155978 [details]
svn diff for security/vuxml

Add new PHP vulns to vuxml
Comment 2 Bernard Spil freebsd_committer 2015-04-25 14:46:44 UTC
Created attachment 155979 [details]
svn diff for lang/php5

Update lang/php5 to 5.5.40 fixing vulns
Comment 3 Bernard Spil freebsd_committer 2015-04-25 14:47:24 UTC
Created attachment 155980 [details]
svn diff for lang/php55

Update lang/php55 to 5.5.24 fixing vulns
Comment 4 Bernard Spil freebsd_committer 2015-04-25 17:43:26 UTC
Created attachment 155988 [details]
svn diff for lang/php56

There are 4 extensions that currently have a PORTREVISION, this improved patch removes these as well as updating the master port to 5.6.8
Comment 5 Bernard Spil freebsd_committer 2015-04-25 17:44:49 UTC
Created attachment 155989 [details]
svn diff for lang/php55

Update lang/php5 to 5.5.40 fixing vulns
This patch updates the master port and removes PORTREVISION from extensions that have it defined
Comment 6 Bernard Spil freebsd_committer 2015-04-25 17:45:23 UTC
Created attachment 155990 [details]
svn diff for lang/php5

Update lang/php5 to 5.4.40 fixing vulns
This patch updates the master port and removes PORTREVISION from extensions that have it defined
Comment 7 Jason Unovitch freebsd_committer 2015-04-25 18:57:25 UTC
All,
Thanks for this.  I just started making patches myself but checked Bugzilla first to find this.  It would be good to get this closed soon given there were a lot of CVE's covered in this one, including potential remote code execution.

Bernard,
Can you double check your patches with the MAILHEAD option enabled?  All of your diffs remove the optional patch from the distinfo file that MAILHEAD references.  See the Makefile for the available options and defaults.

OPTIONS_DEFINE+=CLI CGI FPM EMBED PHPDBG DEBUG DTRACE IPV6 MAILHEAD LINKTHR ZTS
OPTIONS_DEFAULT=CLI CGI FPM IPV6 LINKTHR

Jason
Comment 8 Jason Unovitch freebsd_committer 2015-04-25 19:22:04 UTC
Bernard,
Also see the prior updates in SVN.  Both databases/php56-odbc and databases/php55-odbc required an update to regen the patch for the patch-config.m4 file.  I've validated with a poudriere testport on databases/php56-odbc that just updating the version will prevent that from building. 

https://svnweb.freebsd.org/ports?view=revision&revision=382894
https://svnweb.freebsd.org/ports?view=revision&revision=382895

Jason
Comment 9 commit-hook freebsd_committer 2015-04-26 12:34:13 UTC
A commit references this bug:

Author: ale
Date: Sun Apr 26 12:33:12 UTC 2015
New revision: 384787
URL: https://svnweb.freebsd.org/changeset/ports/384787

Log:
  Update to 5.6.8 release.

  PR:		199585
  Submitted by:	Franco Fichtner

Changes:
  head/databases/php56-odbc/files/patch-config.m4
  head/databases/php56-pdo_sqlite/Makefile
  head/databases/php56-sqlite3/Makefile
  head/lang/php56/Makefile
  head/lang/php56/distinfo
  head/security/php56-mcrypt/Makefile
  head/textproc/php56-pspell/Makefile
Comment 10 Jason Unovitch freebsd_committer 2015-04-26 13:03:27 UTC
Created attachment 156009 [details]
security/vuxml correction

ale@
The PR referenced in security/vuxml was incorrect. Patch attached for fix.  Additionally, the 5.6.8 update will have to MFH into 2015Q2 before this is closed for real.

Jason
Comment 11 Bernard Spil freebsd_committer 2015-04-26 17:21:25 UTC
O my was that PHP 5.6 patch bad... That's the 5.6.6 yo 5.6.7 update :/

Sorry for the confusion! Need to polish my workflow!
Comment 12 Jason Unovitch freebsd_committer 2015-05-02 15:20:25 UTC
Hello,
Can r384787 for PHP 5.6.8 be MFH'd into 2015Q2.  Additionally, can the vuxml patch be applied to reference the correct PR?


Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 385083)
+++ security/vuxml/vuln.xml	(working copy)
@@ -279,7 +279,7 @@
       <cvename>CVE-2015-2783</cvename>
       <cvename>CVE-2015-1351</cvename>
       <cvename>CVE-2015-1352</cvename>
-      <freebsdpr>ports/198739</freebsdpr>
+      <freebsdpr>ports/199585</freebsdpr>
     </references>
     <dates>
       <discovery>2015-04-16</discovery>
Comment 13 Jason Unovitch freebsd_committer 2015-05-22 18:44:06 UTC
ale@,
Can r384787 for PHP 5.6.8 be MFH'd into 2015Q2.  Can the vuxml entry be updated as mentioned above for the correct PR info as well or should I open a new PR for the MFH and vuxml correction?

Jason
Comment 14 Franco Fichtner 2015-05-22 20:13:53 UTC
5.6.9 has been out for a week now...
Comment 15 commit-hook freebsd_committer 2015-05-22 22:12:55 UTC
A commit references this bug:

Author: delphij
Date: Fri May 22 22:12:13 UTC 2015
New revision: 387085
URL: https://svnweb.freebsd.org/changeset/ports/387085

Log:
  MFH: r384787 (ale)

  Update to 5.6.8 release.

  PR:		199585
  Submitted by:	Franco Fichtner
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/databases/php56-odbc/files/patch-config.m4
  branches/2015Q2/databases/php56-pdo_sqlite/Makefile
  branches/2015Q2/databases/php56-sqlite3/Makefile
  branches/2015Q2/lang/php56/Makefile
  branches/2015Q2/lang/php56/distinfo
  branches/2015Q2/security/php56-mcrypt/Makefile
  branches/2015Q2/textproc/php56-pspell/Makefile
Comment 16 Xin LI freebsd_committer 2015-05-22 22:15:52 UTC
(In reply to jason.unovitch from comment #13)
I've merged the 5.6.8 update.

(In reply to jason.unovitch from comment #12)
Fixed.