Globally change Adam Duskett's email address to aduskett@gmail.com.
Note that one or two of the patches may have been applied upstream with
the old email address, but in that case those patches will anyway be
removed when bumping.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch adds ac_cv_have_pcre2_jit cache variable to avoid
the tests running on the host system during cross-compiling.
Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changelog: https://www.php.net/ChangeLog-7.php#7.3.4
Fixes these bugs, CVE-ID were not assigned yet:
Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s).
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3
Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rebased patch 0004.
This bump fixes https://bugs.php.net/bug.php?id=77369,
status of CVE-ID: needed
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2018-19935: Allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty string in the
message argument to the imap_mail function.
https://www.cvedetails.com/cve/CVE-2018-19935/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php moved from pcre to pcre2 since bump to version 7.3 and
a5bc5aed71
This fixes a build failure: without this change, if BR2_PACKAGE_PCRE is
set, external pcre support in php is (wrongly) enabled with
--with-pcre-regex but because pcre2 was not found, php fallbacks on
built-in pcre2 without the "SLJIT_SINGLE_THREADED hack"
Fixes:
- http://autobuild.buildroot.org/results/40ef339019203d2cc49d388e222cf17c3ca37944
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 745f884e41.
This was the wrong fix: issue is that php moves from pcre to pcre2 since
version 7.3.0 and
a5bc5aed71
This patch will always disable external pcre2 support and raise a build
failure when toolchaine does not have pthread
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure option "--with-pcre-regex=$(STAGING_DIR)/usr" is broken.
PHP will prepend $(STAGING_DIR)/usr to the paths, which will cause a
failure because it won't be able to find pcre, and will then fallback to
searching for pcre2, which won't be installed.
Removing "=$(STAGING_DIR)/usr" from --with-pcre-regex fixes the issue.
Fixes:
http://autobuild.buildroot.net/results/586/586f56e8fcf2d2bbbd3bdf69b1c3befff7ce8bbf
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Other changes:
- Update patches so they cleanly apply.
- Remove patch 5, as it no longer applies.
- Remove conf env option ac_cv_func_strcasestr=yes because of the
above.
- libzip is no longer bundled with php, because of this, libzip must
now be selected and depended on if the zip extension is selected.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The configure option "--with-curl=$(STAGING_DIR)/usr" is broken.
PHP will detect libcurl.pc, which will pass the configure checks, but will then
prepend $(STAGING_DIR)/usr to the paths in libcurl.pc.
Thus php will then search $(STAGING_DIR)/usr/$(STAGING_DIR)/usr/lib/ for
curl libraries during linking, which causes linking errors.
Removing "=$(STAGING_DIR)/usr" from --with-curl fixes the issue.
Fixes:
http://autobuild.buildroot.net/results/44b9ea1edca85b222a117a8e241a26b8dce33929/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
getArgTypeList is defined both in ext/intl/msgformat/msgformat_helpers.cpp
and icu library so add a !BR2_STATIC_LIBS dependency to
BR2_PACKAGE_PHP_EXT_INTL
Fixes:
- http://autobuild.buildroot.org/results/628b677d1ceb8b404265d89357225e0a1dce1407
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog: http://www.php.net/ChangeLog-7.php#7.2.12
Rebased patch 0004 and updated license hash after white space removal:
902d39a3a7
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Needed for example for phppgadmin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: add missing BR2_USE_WCHAR dependency.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream removed support for non-wchar toolchains:
85feb77aa0
Propagate the new dependency to other packages.
Fixes
http://autobuild.buildroot.net/results/b73/b73342a39167ed7f293224d4e3b23dde691b9abf/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: also propagate to the php, qt and qt5base packages.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes autobuild failures like
http://autobuild.buildroot.net/results/3288b742cee650ee47a41c5b4d6aaef1fe67bff1
php compile breaks with:
ext/mysqlnd/mysqlnd_auth.o: In function `php_mysqlnd_scramble_sha2':
mysqlnd_auth.c:(.text+0x1054): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x1064): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x1070): undefined reference to `PHP_SHA256Final'
mysqlnd_auth.c:(.text+0x1078): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x1088): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x1094): undefined reference to `PHP_SHA256Final'
mysqlnd_auth.c:(.text+0x109c): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x10ac): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x10bc): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x10c8): undefined reference to `PHP_SHA256Final'
It looks like the php mysqli extension needs the hash extension to work. This
seems to be a php Make dependany bug. This patch works around it until the
upstream maintainers can fix it.
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
zend_alloc.h defines some macros such as:
Where _estrdup is the actual function implemented by the PHP core. If
this header file is not included, and some code uses estrdup, one ends
up with an undefined reference. This happens when libexpat support is
enabled. This commit adds a PHP patch that fixes this issue. The patch
has been submitted upstream through a Github pull request.
Fixes:
http://autobuild.buildroot.net/results/889d2c1f509c035cd506e36061939bfddc8f1500/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When the internal PCRE library of PHP is used, it tries to use a JIT
engine, which is only available on some architectures.
However, the mechanism used to disable JIT has changed in recent PHP
versions, and it now has a proper --without-pcre-jit option. Switch
over to that to properly disable JIT on unsupported platforms.
It has been tested to fix the build of PHP on ARC and Microblaze.
Fixes:
http://autobuild.buildroot.net/results/e1359fcad7bc57e3c5a7ecc37abaa2cf6a6a9ffa/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
... to follow the convention: type, default, depends on, select, help.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
BR2_BINFMT_FLAT configurations require the use of elf2flt. However,
PHP uses -export-dynamic which breaks badly with elf2flt. Even a
simple program fails to build:
$ ./output/host/bin/arm-linux-gcc -Wl,-export-dynamic -o toto toto.c
/home/thomas/projets/buildroot/output/host/opt/ext-toolchain/arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: section .junk LMA [0000000000000000,0000000000000027] overlaps section .text LMA [0000000000000000,0000000000006d07]
-export-dynamic is clearly not useful for FLAT configurations, which
are always statically linked, but it's quite a bit of work to change
the PHP build system to use it only conditionall.
It looks more like an interaction bug between gcc (which wants to put
the .text section at address 0x0 in its linker script) and elf2flt,
which wants to put its .junk section (containing the .rel.text stuff)
also at address 0x0.
Fixes (works around) the "section overlap" part of:
http://autobuild.buildroot.net/results/35cbed8927bb10500ecf2816aa728ea240a0be21/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The PHP sockets module now provides access to AI_IDN functionality (by
simply declaring a bunch of constants available from PHP code). AI_IDN
(internationalized domain names) is not supported in uClibc or musl,
which breaks the build.
This commit adds a patch to PHP which makes the use of AI_IDN
conditional, in a way that is identical to what is already done for
AI_ALL. The patch has been submitted upstream.
Fixes:
http://autobuild.buildroot.net/results/ef040cc45bb2789ead82a8c445db3376e36b5ac7/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Introduced in PHP7.2, if a host has valgrind headers installed, PHP will detect
them and set HAVE_VALGRIND to 1.
Disable this entry after configuring.
fixes:
http://autobuild.buildroot.net/results/d59/d59b5961890aeddcd6d59ed52243be6554d1fe21
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also update 0003-configure-disable-the-phar-tool.patch as configure.in is no
longer provided in the tarballs. Instead, configure.ac is patched.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF
decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be
reached with a call to the imagecreatefromstring() function) uses
constant-sized color tables of size 3 * 256, but does not zero-out these
arrays before use.
CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 -
Out-of-bonds access in oniguruma regexp library.
CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, the openssl extension PEM sealing code did not check the return value
of the OpenSSL sealing function, which could lead to a crash of the PHP
interpreter, related to an interpretation conflict for a negative number in
ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, lack of a bounds check in the date extension's timelib_meridian
parsing code could be used by attackers able to supply date strings to leak
information from the interpreter, related to an ext/date/lib/parse_date.c
out-of-bounds read affecting the php_parse_date function.
CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x
through 7.1.7, lack of bounds checks in the date extension's
timelib_meridian parsing code could be used by attackers able to supply date
strings to leak information from the interpreter, related to
ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date
function. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2017-11145.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit switches to use the new gettext logic, which involves:
- using TARGET_NLS_DEPENDENCIES instead of hand-encoded dependencies
on gettext/host-gettext
- dropping BR2_PACKAGE_GETTEXT selection. Thanks to this, we can drop
the BR2_USE_WCHAR dependency
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Propagate icu reverse dependencies.
Php lacks "-std=c++11", provided by icu-config, when compiling icu
support leading to a build failure:
/home/peko/autobuild/instance-1/output/host/usr/sh4-buildroot-linux-uclibc/sysroot/usr/include/unicode/umachine.h:347:13:
error: 'char16_t' does not name a type
typedef char16_t UChar;
Fixes
http://autobuild.buildroot.net/results/238/238d0e4bb205c0e7288903c6498e6c1787d86a1b/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
