Fixes (no CVEs yet):
Buffer over-write in finfo_open with malformed magic file.
Invalid memory write in phar on filename with \0 in name.
Parsing of tar file with duplicate filenames causes memory leak.
php_snmp_error() Format String Vulnerability.
Integer Overflow in php_raw_url_encode.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The BR2_ARCH_HAS_ATOMICS was added because on ARC, atomic instructions
may not be provided by the architecture and therefore the compiler
does not provide the __sync_*() built-ins.
However, since then, icu was changed and is now able to use C++11
atomics, or even no atomic operations at all. In fact, icu will:
* If possible, it will use C++11 atomics, which internally rely on
the __atomic built-ins. These are available since gcc 4.7, and all
architectures provide it. On some architectures, you *must* link
with libatomic, on some other architectures, they are available
built-in, but in all cases, linking against libatomic does not
harm. Thanks to this, even ARC with no atomic support (which was
the original reason for adding the BR2_ARCH_HAS_ATOMICS) dependency
builds fine, provided -latomic is added to LIBS.
* If C++11 atomics are not available, then it falls back to
__sync_*() built-ins, which allows compilers older than 4.7 to be
supported.
* If really no atomic mechanism is available, then it falls back to a
basic implementation based on a mutex.
Conclusion:
- The BR2_ARCH_HAS_ATOMICS dependency is no longer needed.
- We need to link with -latomic when gcc >= 4.7 is used.
Note that reverse dependencies of icu are also changed accordingly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The pkg-config tool is automatically passing --static when BR2_STATIC_LIBS
is set (see package/pkgconf/pkgconf.mk), so no need to pass it explicitly
from package .mk files.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It is often difficult to know exactly when make will expand the
variable, and usually it can only be expanded after the dependencies
have been built (e.g. pkg-config or the .pc file). Using a backtick
instead makes it very clear that it will be expanded only while
executing the command.
This change is useful for two cases:
1. The per-package staging (and host) directory will be created as part
of the configure step, so any $(shell ...) variable that is used in
the configure step will fail because the directory doesn't exist
yet.
2. 'make printvars' evaluates the variables it prints. It will therefore
trigger a lot of errors from missing .pc files and others. The
backticks, on the other hand, are not expanded, so with this change
the output of 'make printvars' becomes clean again.
This commit contains only the easy changes: replace $(shell ...) with
`...`, and also replace ' with " where needed. Follow-up commits will
tackle the more complicated cases that need additional explanation.
After this change, the following instances of $(shell ...) will remain:
- All assignments that use :=
- All variables that are used in make conditionals (which don't expand
the backticks).
- All variables that only refer to system executables and make
variables that don't change.
- The calls to check-host-* in dependencies.mk, because it is eval'ed.
[Original patch by Fabio Porcedda, but extended quite a bit by Arnout.]
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3152 - mysqlnd is vulnerable to BACKRONYM
And other security bugs with no CVE assigned yet:
Bug #69972 - Use-after-free vulnerability in
sqlite3SafetyCheckSickOrOk()
Bug # 69970 - Use-after-free vulnerability in
spl_recursive_it_move_forward_ex()
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The pcre library bundled in php is not configurable through the usual
--enable/disable options, but wants to be thread-safe by default, so it
wants to use pthreads (uncludes pthread.h and uses pthread_* functions).
So, just override the default configuration to explicitly require the
bundled pcre library be single-threaded when we have no thread and are
not using the external pcre library.
Fixes:
http://autobuild.buildroot.org/results/f50/f50f4e569466ad74e49a3eac9ea2e6cfc4dd30e3/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Floris Bos <bos@je-eigen-domein.nl>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add PHP_VERSION_MAJOR variable to php.mk for use by other packages.
E.g. to install the Ioncube loader binary, it is necessary to
know the PHP major version.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php-fpm installs a sample status page to $datadir/fpm/status.html
It is not of any use in that directory, so remove it from target.
If someone wants to use it, he can copy it to webroot manually.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a line to load the opcache extension in php.ini, at the
bottom of the "dynamic extensions" section.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
aclocal.m4 gets regenerated from acinclude.m4, so patch the last.
Fixes "Extensions are not supported on this platform" error when
loading any external (zend) extension in php.ini.
Was caused by 0001-ditch-unset.patch not being applied to the
correct file, and our ac_cv_func_dlopen=yes env setting being unset.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#8121
External PHP modules like the OPcache may live in
/usr/lib/php/extensions, so only delete /usr/lib/php/build
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
postgresql currently does not build in BR2_STATIC_LIBS=y
configurations, and since there is little interest in using such a big
piece of software in statically linked configuration, this commit
makes postgresql depends on !BR2_STATIC_LIBS.
Fixes:
http://autobuild.buildroot.net/results/f9ed96d22e91cdba9ad92c4d4ea52e422bf1f1c9/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set date.timezone in php.ini to match time zone settings.
Prevents a warning being logged about it not being set
each time a PHP date/time method is used.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Install a custom php-fpm.conf instead of the stock one.
- Listening on /var/run/php-fpm.sock instead of TCP port so we can
restrict access to webserver user www-data.
- Using ondemand pm, so PHP children are only started after a PHP
request, instead of kept resident all the time.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Install the startup script if using the FastCGI Process Manager.
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-1351 - OPCache: Use After Free
CVE-2015-1352 - Postgres: Null pointer dereference
And others with no CVE assigned yet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fileinfo does an AC_TRY_RUN to test for strcasestr without allowing a
canned response, hence breaking cross-compiles. Use AC_CACHE_VAL. Fixes:
http://autobuild.buildroot.net/results/10a/10ae44cbc7c0c8e6f1ac54dae4c9d94c703aa3dd/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add a Zend OPcache option and tweak the build system into being
cross-compile friendly.
The OPcache extension allows for a neat intermediate bytecode cache in
memory to avoid reinterpreting/recompiling php scripts on multiple runs.
Make it an option since this takes up valuable RAM.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Convert patches from pure configure ones to *.m4/configure.in cleanness.
This allows us to AUTORECONF (well, not quite, but close).
Even though upstream will probably not accept them it's the right way.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that largefile is mandatory removes package dependencies and
conditionals.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-0231 - Use After Free Vulnerability in unserialize()
CVE-2015-2305 - heap overflow vulnerability in regcomp.c
CVE-2015-2331 - ZIP Integer Overflow leads to writing past heap boundary
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-0273 - Use after free vulnerability in unserialize() with
DateTimeZone.
CVE-2015-0235 - Mitigation for GHOST: glibc gethostbyname buffer
overflow.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>