diff options
Diffstat (limited to 'php71.spec')
-rw-r--r-- | php71.spec | 377 |
1 files changed, 319 insertions, 58 deletions
@@ -26,12 +26,14 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%if 0%{?rhel} == 6 -%global oraclever 18.3 -%global oraclelib 18.1 -%else -%global oraclever 19.3 +%ifarch aarch64 +%global oraclever 19.19 %global oraclelib 19.1 +%global oracledir 19.19 +%else +%global oraclever 21.13 +%global oraclelib 21.1 +%global oracledir 21 %endif # Build for LiteSpeed Web Server (LSAPI) @@ -109,12 +111,12 @@ %global db_devel libdb-devel %endif -%global upver 7.1.31 +%global upver 7.1.33 Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 28%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -148,6 +150,7 @@ Source99: php-fpm.init # Build fixes Patch1: php-7.1.7-httpd.patch +Patch2: php-7.1.33-intl.patch Patch5: php-7.0.0-includedir.patch Patch6: php-5.6.3-embed.patch Patch7: php-5.3.0-recode.patch @@ -174,12 +177,56 @@ Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) # Security fixes (200+) +Patch201: php-bug78878.patch +Patch202: php-bug78862.patch +Patch203: php-bug78863.patch +Patch204: php-bug78793.patch +Patch205: php-bug78910.patch +Patch206: php-bug79091.patch +Patch207: php-bug79099.patch +Patch208: php-bug79037.patch +Patch209: php-bug77569.patch +Patch210: php-bug79221.patch +Patch211: php-bug79082.patch +Patch212: php-bug79282.patch +Patch213: php-bug79329.patch +Patch214: php-bug79330.patch +Patch215: php-bug79465.patch +Patch216: php-bug78875.patch +Patch217: php-bug78876.patch +Patch218: php-bug79797.patch +Patch219: php-bug79877.patch +Patch220: php-bug79601.patch +Patch221: php-bug79699.patch +Patch222: php-bug77423.patch +Patch223: php-bug80672.patch +Patch224: php-bug80710.patch +Patch225: php-bug81122.patch +Patch226: php-bug76450.patch +Patch227: php-bug81211.patch +Patch228: php-bug81026.patch +Patch229: php-bug79971.patch +Patch230: php-bug81719.patch +Patch231: php-bug81720.patch +Patch232: php-bug81727.patch +Patch233: php-bug81726.patch +Patch234: php-bug81740.patch +Patch235: php-bug81744.patch +Patch236: php-bug81746.patch +Patch237: php-cve-2023-0662.patch +Patch238: php-cve-2023-3247.patch +Patch239: php-cve-2023-3823.patch +Patch240: php-cve-2023-3824.patch +Patch241: php-cve-2024-2756.patch +Patch242: php-cve-2024-3096.patch # Fixes for tests (300+) # Factory is droped from system tzdata Patch300: php-7.0.10-datetests.patch # Revert changes for pcre < 8.34 Patch301: php-7.0.0-oldpcre.patch +# Renew openssl certs +Patch302: php-openssl-cert.patch # WIP @@ -284,7 +331,7 @@ Group: Development/Languages Summary: The interactive PHP debugger Requires: php-common%{?_isa} = %{version}-%{release} %if 0%{?rhel} -Obsoletes: php56u-dbg, php56w-dbg, php70u-dbg, php70w-phpdbg, php70u-dbg, php71w-phpdbg +Obsoletes: php56u-dbg, php56w-phpdbg, php70u-dbg, php70w-phpdbg, php70u-dbg, php71w-phpdbg %endif %description dbg The php-dbg package contains the interactive PHP debugger. @@ -295,7 +342,6 @@ Group: Development/Languages Summary: PHP FastCGI Process Manager BuildRequires: libacl-devel Requires: php-common%{?_isa} = %{version}-%{release} -Requires(pre): /usr/sbin/useradd %if %{with_systemd} BuildRequires: systemd-devel %{?systemd_requires} @@ -316,6 +362,8 @@ Requires(pre): httpd-filesystem Requires: httpd-filesystem >= 2.4.10 # php engine for Apache httpd webserver Provides: php(httpd) +%else +Requires(pre): /usr/sbin/useradd %endif %if %{with_nginx} # for /etc/nginx ownership @@ -402,7 +450,7 @@ package and the php-cli package. %package devel Group: Development/Libraries Summary: Files needed for building PHP extensions -Requires: php-cli%{?_isa} = %{version}-%{release}, autoconf, automake +Requires: php-cli%{?_isa} = %{version}-%{release}, autoconf, automake, make # see "php-config --libs" Requires: krb5-devel%{?_isa} Requires: libedit-devel%{?_isa} @@ -421,6 +469,7 @@ Provides: php-zts-devel%{?_isa} = %{version}-%{release} %endif %if 0%{?rhel} Obsoletes: php53-devel, php53u-devel, php54-devel, php54w-devel, php55u-devel, php55w-devel, php56u-devel, php56w-devel, php70u-devel, php70w-devel, php71u-devel, php71w-devel +Obsoletes: php55u-pecl-jsonc-devel, php56u-pecl-jsonc-devel %endif %description devel @@ -643,15 +692,20 @@ Summary: A module for PHP applications that use OCI8 databases Group: Development/Languages # All files licensed under PHP version 3.01 License: PHP +%ifarch aarch64 +BuildRequires: oracle-instantclient%{oraclever}-devel +# Should requires libclntsh.so.19.1()(aarch-64), but it's not provided by Oracle RPM. +Requires: libclntsh.so.%{oraclelib} +AutoReq: 0 +%else BuildRequires: oracle-instantclient-devel >= %{oraclever} +%endif Requires: php-pdo%{?_isa} = %{version}-%{release} Provides: php_database Provides: php-pdo_oci, php-pdo_oci%{?_isa} Obsoletes: php-pecl-oci8 < %{oci8ver} Conflicts: php-pecl-oci8 >= %{oci8ver} Provides: php-pecl(oci8) = %{oci8ver}, php-pecl(oci8)%{?_isa} = %{oci8ver} -# Should requires libclntsh.so.12.1, but it's not provided by Oracle RPM. -AutoReq: 0 %if 0%{?rhel} Obsoletes: php53-oci8, php53u-oci8, php54-oci8, php54w-oci8, php55u-oci8, php55w-oci8, php56u-oci8, php56w-oci8, php70u-oci8, php70w-oci8, php71u-oci8, php71w-oci8 %endif @@ -664,13 +718,9 @@ The extension is linked with Oracle client libraries %{oraclever} (Oracle Instant Client). For details, see Oracle's note "Oracle Client / Server Interoperability Support" (ID 207303.1). -You must install libclntsh.so.%{oraclelib} to use this package, provided -in the database installation, or in the free Oracle Instant Client -available from Oracle. - -Notice: -- php-oci8 provides oci8 and pdo_oci extensions from php sources. -- php-pecl-oci8 only provides oci8 extension. +You must install libclntsh.so.%{oraclelib} to use this package, +provided by Oracle Instant Client RPM available from Oracle on: +https://www.oracle.com/database/technologies/instant-client/downloads.html Documentation is at http://php.net/oci8 and http://php.net/pdo_oci %endif @@ -759,12 +809,7 @@ License: PHP and BSD %endif Requires: php-common%{?_isa} = %{version}-%{release} %if %{with_libgd} -BuildRequires: gd-devel >= 2.1.1 -%if 0%{?fedora} <= 19 && 0%{?rhel} <= 7 -Requires: gd-last%{?_isa} >= 2.1.1 -%else -Requires: gd%{?_isa} >= 2.1.1 -%endif +BuildRequires: gd-devel >= 2.3.3 %else # Required to build the bundled GD library BuildRequires: libjpeg-devel @@ -924,8 +969,8 @@ Group: System Environment/Libraries # All files licensed under PHP version 3.01 License: PHP Requires: php-common%{?_isa} = %{version}-%{release} -# Upstream requires 4.0, we require 50 to ensure use of libicu-last -BuildRequires: libicu-devel >= 50 +# Upstream requires 4.0, we require 69.1 to ensure use of libicu69 +BuildRequires: libicu-devel = 69.1 %if 0%{?rhel} Obsoletes: php53-intl, php53u-intl, php54-intl, php54w-intl, php55u-intl, php55w-intl, php56u-intl, php56w-intl, php70u-intl, php70w-intl, php71u-intl, php71w-intl %endif @@ -1001,48 +1046,94 @@ support for JavaScript Object Notation (JSON) to PHP. %setup -q -n php-%{upver}%{?rcver} -%patch1 -p1 -b .mpmcheck -%patch5 -p1 -b .includedir -%patch6 -p1 -b .embed -%patch7 -p1 -b .recode -%patch8 -p1 -b .libdb +%patch -P1 -p1 -b .mpmcheck +%patch -P2 -p1 -b .true +%patch -P5 -p1 -b .includedir +%patch -P6 -p1 -b .embed +%patch -P7 -p1 -b .recode +%patch -P8 -p1 -b .libdb %if 0%{?rhel} -%patch9 -p1 -b .curltls +%patch -P9 -p1 -b .curltls %endif -%patch40 -p1 -b .dlopen +%patch -P40 -p1 -b .dlopen %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 -%patch42 -p1 -b .systzdata +%patch -P42 -p1 -b .systzdata %endif -%patch43 -p1 -b .headers +%patch -P43 -p1 -b .headers %if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 -%patch45 -p1 -b .ldap_r +%patch -P45 -p1 -b .ldap_r %endif -%patch47 -p1 -b .phpinfo -%patch48 -p1 -b .loadconf -%patch49 -p1 -b .getallheaders +%patch -P47 -p1 -b .phpinfo +%patch -P48 -p1 -b .loadconf +%patch -P49 -p1 -b .getallheaders -%patch91 -p1 -b .remi-oci8 +%patch -P91 -p1 -b .remi-oci8 # upstream patches # security patches +%patch -P201 -p1 -b .bug78878 +%patch -P202 -p1 -b .bug78862 +%patch -P203 -p1 -b .bug78863 +%patch -P204 -p1 -b .bug78793 +%patch -P205 -p1 -b .bug78910 +%patch -P206 -p1 -b .bug79091 +%patch -P207 -p1 -b .bug79099 +%patch -P208 -p1 -b .bug79037 +%patch -P209 -p1 -b .bug77569 +%patch -P210 -p1 -b .bug79221 +%patch -P211 -p1 -b .bug79082 +%patch -P212 -p1 -b .bug79282 +%patch -P213 -p1 -b .bug79329 +%patch -P214 -p1 -b .bug79330 +%patch -P215 -p1 -b .bug79465 +%patch -P216 -p1 -b .bug78875 +%patch -P217 -p1 -b .bug78876 +%patch -P218 -p1 -b .bug79797 +%patch -P219 -p1 -b .bug79877 +%patch -P220 -p1 -b .bug79601 +%patch -P221 -p1 -b .bug79699 +%patch -P222 -p1 -b .bug77423 +%patch -P223 -p1 -b .bug80672 +%patch -P224 -p1 -b .bug80710 +%patch -P225 -p1 -b .bug81122 +%patch -P226 -p1 -b .bug76450 +%patch -P227 -p1 -b .bug81211 +%patch -P228 -p1 -b .bug81026 +%patch -P229 -p1 -b .bug79971 +%patch -P230 -p1 -b .bug81719 +%patch -P231 -p1 -b .bug81720 +%patch -P232 -p1 -b .bug81727 +%patch -P233 -p1 -b .bug81726 +%patch -P234 -p1 -b .bug81740 +%patch -P235 -p1 -b .bug81744 +%patch -P236 -p1 -b .bug81746 +%patch -P237 -p1 -b .cve0662 +%patch -P238 -p1 -b .cve3247 +%patch -P239 -p1 -b .cve3823 +%patch -P240 -p1 -b .cve3824 +%patch -P241 -p1 -b .cve2756 +%patch -P242 -p1 -b .cve3096 # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 -%patch300 -p1 -b .datetests +%patch -P300 -p1 -b .datetests %endif %if %{with_libpcre} if ! pkg-config libpcre --atleast-version 8.34 ; then # Only apply when system libpcre < 8.34 -%patch301 -p1 -b .pcre834 +%patch -P301 -p1 -b .pcre834 fi %endif +# New openssl certs +%patch -P302 -p1 -b .renewcert +rm ext/openssl/tests/bug65538_003.phpt # WIP patch # Prevent %%doc confusion over LICENSE files -cp Zend/LICENSE Zend/ZEND_LICENSE +cp Zend/LICENSE ZEND_LICENSE cp TSRM/LICENSE TSRM_LICENSE %if ! %{with_libgd} cp ext/gd/libgd/README libgd_README @@ -1078,9 +1169,11 @@ rm Zend/tests/bug54268.phpt rm Zend/tests/bug68412.phpt # slow and erratic result rm sapi/cli/tests/upload_2G.phpt -# avoid issue when 2 builds run simultaneously +# avoid issue when 2 builds run simultaneously (keep 64321 for the SCL) %ifarch x86_64 sed -e 's/64321/64322/' -i ext/openssl/tests/*.phpt +%else +sed -e 's/64321/64323/' -i ext/openssl/tests/*.phpt %endif # Safety check for API version change. @@ -1311,11 +1404,7 @@ build --libdir=%{_libdir}/php \ --with-mysqli=shared,mysqlnd \ --with-mysql-sock=%{mysql_sock} \ %if %{with_oci8} -%ifarch x86_64 - --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \ -%else - --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client/lib,%{oraclever} \ -%endif + --with-oci8=shared,instantclient,%{_prefix}/lib/oracle/%{oracledir}/client64/lib,%{oraclever} \ --with-pdo-oci=shared,instantclient,/usr,%{oraclever} \ %endif --with-interbase=shared \ @@ -1458,11 +1547,7 @@ build --includedir=%{_includedir}/php-zts \ --with-mysql-sock=%{mysql_sock} \ --enable-mysqlnd-threading \ %if %{with_oci8} -%ifarch x86_64 - --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client64/lib,%{oraclever} \ -%else - --with-oci8=shared,instantclient,%{_libdir}/oracle/%{oraclever}/client/lib,%{oraclever} \ -%endif + --with-oci8=shared,instantclient,%{_prefix}/lib/oracle/%{oracledir}/client64/lib,%{oraclever} \ --with-pdo-oci=shared,instantclient,/usr,%{oraclever} \ %endif --with-interbase=shared \ @@ -1531,11 +1616,12 @@ popd %check %if %runselftest -cd build-apache +cd build-fpm # Run tests, using the CLI SAPI export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2 export SKIP_ONLINE_TESTS=1 +export SKIP_SLOW_TESTS=1 unset TZ LANG LC_ALL if ! make test; then set +x @@ -1813,7 +1899,7 @@ sed -e "s/@PHP_APIVER@/%{apiver}%{isasuffix}/" \ %endif < %{SOURCE3} > macros.php %if 0%{?fedora} >= 24 -echo '%pecl_xmldir %{_localstatedir}/lib/php/peclxml' >>macros.php +echo '%%pecl_xmldir %%{_localstatedir}/lib/php/peclxml' >>macros.php %endif install -m 644 -D macros.php \ $RPM_BUILD_ROOT%{macrosdir}/macros.php @@ -1906,6 +1992,19 @@ fi %postun embedded -p /sbin/ldconfig +%posttrans common +cat << EOF +===================================================================== + + WARNING : PHP 7.1 have reached its "End of Life" in + December 2019. Even, if this package includes some of + the important security fixes, backported from 8.1, the + UPGRADE to a maintained version is very strongly RECOMMENDED. + +===================================================================== +EOF + + %{!?_licensedir:%global license %%doc} %files @@ -1924,7 +2023,7 @@ fi %files common -f files.common %doc CODING_STANDARDS CREDITS EXTENSIONS NEWS README* -%license LICENSE TSRM_LICENSE +%license LICENSE TSRM_LICENSE ZEND_LICENSE %license libmagic_LICENSE %license phar_LICENSE %license timelib_LICENSE @@ -2082,6 +2181,168 @@ fi %changelog +* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 7.1.33-28 +- use oracle client library version 21.13 on x86_64, 19.19 on aarch64 +- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix + CVE-2024-2756 +- Fix password_verify can erroneously return true opening ATO risk + CVE-2024-3096 + +* Tue Aug 1 2023 Remi Collet <remi@remirepo.net> - 7.1.33-27 +- Fix Security issue with external entity loading in XML without enabling it + GHSA-3qrf-m4j2-pcrr CVE-2023-3823 +- Fix Buffer mismanagement in phar_dir_read() + GHSA-jqcx-ccgc-xwhv CVE-2023-3824 + +* Wed Jun 21 2023 Remi Collet <remi@remirepo.net> - 7.1.33-26 +- fix possible buffer overflow in date + +* Wed Jun 7 2023 Remi Collet <remi@remirepo.net> - 7.1.33-25 +- Fix Missing error check and insufficient random bytes in HTTP Digest + authentication for SOAP + GHSA-76gg-c692-v2mw CVE-2023-3247 +- use oracle client library version 21.10 +- define __phpize and __phpconfig + +* Tue Feb 14 2023 Remi Collet <remi@remirepo.net> - 7.1.33-24 +- fix #81744: Password_verify() always return true with some hash + CVE-2023-0567 +- fix #81746: 1-byte array overrun in common path resolve code + CVE-2023-0568 +- fix DOS vulnerability when parsing multipart request body + CVE-2023-0662 + +* Mon Dec 19 2022 Remi Collet <remi@remirepo.net> - 7.1.33-23 +- pdo: fix #81740: PDO::quote() may return unquoted string + CVE-2022-31631 +- use oracle client library version 21.8 + +* Tue Sep 27 2022 Remi Collet <remi@remirepo.net> - 7.1.33-22 +- phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628 +- core: fix #81727 Don't mangle HTTP variable names that clash with ones + that have a specific semantic meaning. CVE-2022-31629 +- use oracle client library version 21.7 + +* Tue Jun 7 2022 Remi Collet <remi@remirepo.net> - 7.1.33-20 +- use oracle client library version 21.6 +- mysqlnd: fix #81719: mysqlnd/pdo password buffer overflow. CVE-2022-31626 +- pgsql: fix #81720: Uninitialized array in pg_query_params(). CVE-2022-31625 + +* Mon Nov 15 2021 Remi Collet <remi@remirepo.net> - 7.1.33-19 +- Fix #79971 special character is breaking the path in xml function + CVE-2021-21707 + +* Wed Oct 20 2021 Remi Collet <remi@remirepo.net> - 7.1.33-18 +- fix PHP-FPM oob R/W in root process leading to priv escalation + CVE-2021-21703 +- use libicu version 69 +- use oracle client library version 21.3 + +* Wed Aug 25 2021 Remi Collet <remi@remirepo.net> - 7.1.33-16 +- Fix #81211 Symlinks are followed when creating PHAR archive + +* Mon Jun 28 2021 Remi Collet <remi@remirepo.net> - 7.1.33-15 +- Fix #81122 SSRF bypass in FILTER_VALIDATE_URL + CVE-2021-21705 +- Fix #76448 Stack buffer overflow in firebird_info_cb +- Fix #76449 SIGSEGV in firebird_handle_doer +- Fix #76450 SIGSEGV in firebird_stmt_execute +- Fix #76452 Crash while parsing blob data in firebird_fetch_blob + CVE-2021-21704 + +* Wed Apr 28 2021 Remi Collet <remi@remirepo.net> - 7.1.33-13 +- Fix #80710 imap_mail_compose() header injection +- use oracle client library version 21.1 + +* Wed Feb 3 2021 Remi Collet <remi@remirepo.net> - 7.1.33-12 +- Fix #80672 Null Dereference in SoapClient + CVE-2021-21702 +- better fix for #77423 + +* Mon Jan 4 2021 Remi Collet <remi@remirepo.net> - 7.1.33-11 +- Fix #77423 FILTER_VALIDATE_URL accepts URLs with invalid userinfo + CVE-2020-7071 + +* Tue Sep 29 2020 Remi Collet <remi@remirepo.net> - 7.1.33-10 +- Core: + Fix #79699 PHP parses encoded cookie names so malicious `__Host-` cookies can be sent + CVE-2020-7070 +- OpenSSL: + Fix #79601 Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV + CVE-2020-7069 + Fix bug #78079 openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c + +* Tue Aug 4 2020 Remi Collet <remi@remirepo.net> - 7.1.33-9 +- Core: + Fix #79877 getimagesize function silently truncates after a null byte +- Phar: + Fix #79797 use of freed hash key in the phar_parse_zipfile function + CVE-2020-7068 + +* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.1.33-8 +- Core: + Fix #78875 Long filenames cause OOM and temp files are not cleaned + CVE-2019-11048 + Fix #78876 Long variables in multipart/form-data cause OOM and temp + files are not cleaned + +* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.1.33-7 +- standard: + Fix #79330 shell_exec silently truncates after a null byte + Fix #79465 OOB Read in urldecode + CVE-2020-7067 + +* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.1.33-6 +- standard: + Fix #79329 get_headers() silently truncates after a null byte + CVE-2020-7066 +- exif: + Fix #79282 Use-of-uninitialized-value in exif + CVE-2020-7064 +- use oracle client library version 19.6 (18.5 on EL-6) + +* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.1.33-5 +- dom: + Fix #77569 Write Access Violation in DomImplementation +- phar: + Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions + CVE-2020-7063 +- session: + Fix #79221 Null Pointer Dereference in PHP Session Upload Progress + CVE-2020-7062 + +* Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 7.1.33-4 +- mbstring: + Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar + CVE-2020-7060 +- session: + Fix #79091 heap use-after-free in session_create_id +- standard: + Fix #79099 OOB read in php_strip_tags_ex + CVE-2020-7059 + +* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.1.33-2 +- bcmath: + Fix #78878 Buffer underflow in bc_shift_addsub + CVE-2019-11046 +- core: + Fix #78862 link() silently truncates after a null byte on Windows + CVE-2019-11044 + Fix #78863 DirectoryIterator class silently truncates after a null byte + CVE-2019-11045 +- exif + Fix #78793 Use-after-free in exif parsing under memory sanitizer + CVE-2019-11050 + Fix #78910 Heap-buffer-overflow READ in exif + CVE-2019-11047 +- use oracle client library version 19.5 (18.5 on EL-6) + +* Wed Oct 23 2019 Remi Collet <remi@remirepo.net> - 7.1.33-1 +- Update to 7.1.33 - http://www.php.net/releases/7_1_33.php + +* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 7.1.32-1 +- Update to 7.1.32 - http://www.php.net/releases/7_1_32.php + * Wed Jul 31 2019 Remi Collet <remi@remirepo.net> - 7.1.31-1 - Update to 7.1.31 - http://www.php.net/releases/7_1_31.php |