Since 2008 pcre is a hard-dependency of php:
aa64c6727c
Instead of optionally depending on the pcre2 package and building the
bundled pcre2 code of php in case BR2_PACKAGE_PCRE2 was not selected
we let php depend on pcre2.
While being at it rename the pcre-related configure option due to
upstream commit:
c1a22f3d4e
Fixes:
http://autobuild.buildroot.net/results/4a5/4a582af6b66c59a61b75a7047d8530202972ebdd/
because the pcre2 package already contains the fix for mips r6.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr: keep the JIT option]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
IV is actually used. This can lead to both decreased security and
incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
cookie values, the cookie names are url-decoded. This may lead to
cookies with prefixes like __Host confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. See also CVE-2020-8184 for more
information.
https://www.php.net/ChangeLog-7.php#7.4.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Due to migration to pkg-config in php 7.4, the detection of
library dependencies has been changed.
source from php.net:
--with-gd becomes --enable-gd
--with-png-dir has been removed. libpng is required.
--with-zlib-dir has been removed. zlib is required.
--with-freetype-dir becomes --with-freetype
--with-jpeg-dir becomes --with-jpeg
Signed-off-by: Louis Aussedat <aussedat.louis@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
patch 0005 has been sourced from upstream, and can be dropped when
7.4.3 is released.
The mbstrings module used to use a bundled oniguruma library, but now
uses an external one, hence the new dependency on this package for the
mbstrings module.
The hash of the license file has changed due to this change in the
copyright year:
-Copyright (c) 1999 - 2018 The PHP Group. All rights reserved.
+Copyright (c) 1999 - 2019 The PHP Group. All rights reserved.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the upstream php-fpm sample configuration is placed in
/etc/php-fpm.d/www.conf.default
in recent version of php, so adjust the build cleanup
accordingly
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[yann.morin.1998@free.fr: only remove the file, not the directory]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
All these packages have an upstream-provided service, but buildroot
enabled manually the services in exactly the same way as the [Install]
section.
This is not needed anymore
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
[yann.morin.1998@free.fr: fix check-package errors]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This patch adds ac_cv_have_pcre2_jit cache variable to avoid
the tests running on the host system during cross-compiling.
Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3
Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
- CVE-2018-19935: Allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty string in the
message argument to the imap_mail function.
https://www.cvedetails.com/cve/CVE-2018-19935/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 745f884e41.
This was the wrong fix: issue is that php moves from pcre to pcre2 since
version 7.3.0 and
a5bc5aed71
This patch will always disable external pcre2 support and raise a build
failure when toolchaine does not have pthread
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The configure option "--with-pcre-regex=$(STAGING_DIR)/usr" is broken.
PHP will prepend $(STAGING_DIR)/usr to the paths, which will cause a
failure because it won't be able to find pcre, and will then fallback to
searching for pcre2, which won't be installed.
Removing "=$(STAGING_DIR)/usr" from --with-pcre-regex fixes the issue.
Fixes:
http://autobuild.buildroot.net/results/586/586f56e8fcf2d2bbbd3bdf69b1c3befff7ce8bbf
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Other changes:
- Update patches so they cleanly apply.
- Remove patch 5, as it no longer applies.
- Remove conf env option ac_cv_func_strcasestr=yes because of the
above.
- libzip is no longer bundled with php, because of this, libzip must
now be selected and depended on if the zip extension is selected.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The configure option "--with-curl=$(STAGING_DIR)/usr" is broken.
PHP will detect libcurl.pc, which will pass the configure checks, but will then
prepend $(STAGING_DIR)/usr to the paths in libcurl.pc.
Thus php will then search $(STAGING_DIR)/usr/$(STAGING_DIR)/usr/lib/ for
curl libraries during linking, which causes linking errors.
Removing "=$(STAGING_DIR)/usr" from --with-curl fixes the issue.
Fixes:
http://autobuild.buildroot.net/results/44b9ea1edca85b222a117a8e241a26b8dce33929/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
