Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1af5232138)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the internal PCRE library of PHP is used, it tries to use a JIT
engine, which is only available on some architectures.
However, the mechanism used to disable JIT has changed in recent PHP
versions, and it now has a proper --without-pcre-jit option. Switch
over to that to properly disable JIT on unsupported platforms.
It has been tested to fix the build of PHP on ARC and Microblaze.
Fixes:
http://autobuild.buildroot.net/results/e1359fcad7bc57e3c5a7ecc37abaa2cf6a6a9ffa/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also update 0003-configure-disable-the-phar-tool.patch as configure.in is no
longer provided in the tarballs. Instead, configure.ac is patched.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF
decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be
reached with a call to the imagecreatefromstring() function) uses
constant-sized color tables of size 3 * 256, but does not zero-out these
arrays before use.
CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 -
Out-of-bonds access in oniguruma regexp library.
CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, the openssl extension PEM sealing code did not check the return value
of the OpenSSL sealing function, which could lead to a crash of the PHP
interpreter, related to an interpretation conflict for a negative number in
ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before
7.1.7, lack of a bounds check in the date extension's timelib_meridian
parsing code could be used by attackers able to supply date strings to leak
information from the interpreter, related to an ext/date/lib/parse_date.c
out-of-bounds read affecting the php_parse_date function.
CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x
through 7.1.7, lack of bounds checks in the date extension's
timelib_meridian parsing code could be used by attackers able to supply date
strings to leak information from the interpreter, related to
ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date
function. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2017-11145.
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit switches to use the new gettext logic, which involves:
- using TARGET_NLS_DEPENDENCIES instead of hand-encoded dependencies
on gettext/host-gettext
- dropping BR2_PACKAGE_GETTEXT selection. Thanks to this, we can drop
the BR2_USE_WCHAR dependency
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Following suggestion of Yann Morin, rework selection of php
interfaces: use booleans instead of choice to be able to select
multiple interfaces as they are not exclusive. We make sure at least
one of the options is selected.
It should be noted that previously CGI and FPM could not be selected
at the same time. This is now possible. Bug that prevented compilation
of CGI and FPM binaries at the same time has been fixed since PHP 5.4
(https://github.com/php-build/php-build/issues/101).
Legacy handling is added for the two options that are removed, and the
appropriate new options are selected.
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When building php, the package will also build/install phpdbg.
This patch explicitly disables this behaviour.
Signed-off-by: Theo Debrouwere <t.debrouwere@televic.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The Mysql Native Driver has been the default mysql driver since
PHP 5.4, but buildroot was still using libmysqlclient.
Mysqlnd has several advantages such as improved memory management
and the more favorable PHP licensing terms.
(can combine it with proprietary PHP extensions like Ioncube
loader, while libmysqlclient requires commercial licensing if you
link to it and do not fall under their GPL/FOSS license exception)
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In 5f37843a (php.ini: set date.timezone), the configured timezone was
used as the default for PHP.
However, BR2_TARGET_LOCALTIME is a string, so is quoted, so it is never
empty, so the check for emptynessnever matches.
Fix that by q-stripping the value before testing it. Note however that
we do not q-strip it before storing it in the php.ini file, because it
has to be q-stripped in there.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Floris Bos <bos@je-eigen-domein.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes (no CVEs yet):
Buffer over-write in finfo_open with malformed magic file.
Invalid memory write in phar on filename with \0 in name.
Parsing of tar file with duplicate filenames causes memory leak.
php_snmp_error() Format String Vulnerability.
Integer Overflow in php_raw_url_encode.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
