CVS commit: [pkgsrc-2018Q2] pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Aug 17 17:37:22 UTC 2018

Modified Files:
        pkgsrc/lang/php [pkgsrc-2018Q2]: phpversion.mk
        pkgsrc/lang/php70 [pkgsrc-2018Q2]: Makefile Makefile.php distinfo
Added Files:
        pkgsrc/lang/php70/patches [pkgsrc-2018Q2]: patch-disable-filter-url

Log Message:
Pullup ticket #5799 - requested by taca
lang/php70: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.224
- lang/php70/Makefile                                           1.11-1.12
- lang/php70/Makefile.php                                       1.8-1.9
- lang/php70/distinfo                                           1.46-1.47
- lang/php70/patches/patch-disable-filter-url                   1.1

---
   Module Name: pkgsrc
   Committed By:        maya
   Date:                Mon Jul 16 10:58:50 UTC 2018

   Modified Files:
        pkgsrc/lang/php70: Makefile Makefile.php
        pkgsrc/lang/php71: Makefile Makefile.php
        pkgsrc/lang/php72: Makefile Makefile.php

   Log Message:
   php*: disable global regs on i386.
   Fixes PR pkg/53222 that resurfaced

   Remove the previous workaround to add GCC_REQD, which isn't sufficient
   any more, possibly due to enabling ssp/fortify?

   XXX bumping PKGREVISION might not be sufficient, for the same reason the
   GCC_REQD had to be moved to Makefile.php, it affects modules too.

---
   Module Name: pkgsrc
   Committed By:        manu
   Date:                Wed Jul 18 07:33:12 UTC 2018

   Modified Files:
        pkgsrc/lang/php56: Makefile.php distinfo
        pkgsrc/lang/php70: Makefile.php distinfo
        pkgsrc/lang/php71: Makefile.php distinfo
        pkgsrc/lang/php72: Makefile.php distinfo
   Added Files:
        pkgsrc/lang/php56/patches: patch-disable-filter-url
        pkgsrc/lang/php70/patches: patch-disable-filter-url
        pkgsrc/lang/php71/patches: patch-disable-filter-url
        pkgsrc/lang/php72/patches: patch-disable-filter-url

   Log Message:
   Add pkgsrc build option disable-filter-url to disable php://filter URL

   php://filter URL is a feature documented here:
   http://php.net/manual/en/wrappers.php.php

   Unfortunately, it allows remote control of include() behavior
   beyond what many developpers expected, enabling easy dump of
   PHP source files. The administrator may want to disable the
   feature for security sake, and this option makes that possible.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Fri Jul 20 13:27:28 UTC 2018

   Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php70: Makefile distinfo

   Log Message:
   lang/php70: update to 7.0.31

   19 Jul 2018 PHP 7.0.31

   - Exif:
     . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
       exif_thumbnail_extract of exif.c). (Stas)
     . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
       data). (Stas)

   - Win32:
     . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)


To generate a diff of this commit:
cvs rdiff -u -r1.221.2.2 -r1.221.2.3 pkgsrc/lang/php/phpversion.mk
cvs rdiff -u -r1.10 -r1.10.6.1 pkgsrc/lang/php70/Makefile
cvs rdiff -u -r1.7 -r1.7.10.1 pkgsrc/lang/php70/Makefile.php
cvs rdiff -u -r1.45 -r1.45.2.1 pkgsrc/lang/php70/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/lang/php70/patches/patch-disable-filter-url

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/php/phpversion.mk
diff -u pkgsrc/lang/php/phpversion.mk:1.221.2.2 pkgsrc/lang/php/phpversion.mk:1.221.2.3
--- pkgsrc/lang/php/phpversion.mk:1.221.2.2     Fri Aug 17 16:08:38 2018
+++ pkgsrc/lang/php/phpversion.mk       Fri Aug 17 17:37:21 2018
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.221.2.2 2018/08/17 16:08:38 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.221.2.3 2018/08/17 17:37:21 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -88,7 +88,7 @@ PHPVERSION_MK=        defined
 
 # Define each PHP's version.
 PHP56_VERSION= 5.6.36
-PHP70_VERSION= 7.0.30
+PHP70_VERSION= 7.0.31
 PHP71_VERSION= 7.1.20
 PHP72_VERSION= 7.2.8
 

Index: pkgsrc/lang/php70/Makefile
diff -u pkgsrc/lang/php70/Makefile:1.10 pkgsrc/lang/php70/Makefile:1.10.6.1
--- pkgsrc/lang/php70/Makefile:1.10     Fri Oct 27 08:46:49 2017
+++ pkgsrc/lang/php70/Makefile  Fri Aug 17 17:37:22 2018
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 2017/10/27 08:46:49 taca Exp $
+# $NetBSD: Makefile,v 1.10.6.1 2018/08/17 17:37:22 bsiegert Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
@@ -48,6 +48,12 @@ INSTALLATION_DIRS+=  ${CGIDIR} ${PHP_EXTE
 CONFIGURE_ARGS+=       --without-pcre-jit
 .endif
 
+.if ${MACHINE_ARCH} == "i386"
+# segfaults when buidling with many compilers
+# https://bugs.php.net/bug.php?id=74527
+CONFIGURE_ARGS+=       --disable-gcc-global-regs
+.endif
+
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=    yes

Index: pkgsrc/lang/php70/Makefile.php
diff -u pkgsrc/lang/php70/Makefile.php:1.7 pkgsrc/lang/php70/Makefile.php:1.7.10.1
--- pkgsrc/lang/php70/Makefile.php:1.7  Fri Aug  4 23:07:28 2017
+++ pkgsrc/lang/php70/Makefile.php      Fri Aug 17 17:37:22 2018
@@ -1,13 +1,8 @@
-# $NetBSD: Makefile.php,v 1.7 2017/08/04 23:07:28 taca Exp $
+# $NetBSD: Makefile.php,v 1.7.10.1 2018/08/17 17:37:22 bsiegert Exp $
 # used by lang/php70/Makefile
 # used by www/ap-php/Makefile
 # used by www/php-fpm/Makefile
 
-# PHP bug #74526 - segfaults on build with GCC 4.8.5 i386
-.if ${MACHINE_ARCH} == "i386"
-GCC_REQD+=              4.9
-.endif
-
 .include "../../lang/php70/Makefile.common"
 
 DISTINFO_FILE= ${.CURDIR}/../../lang/php70/distinfo
@@ -45,7 +40,7 @@ CONFIGURE_ARGS+=      --with-libxml-dir=${PRE
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=        inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=        inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=        inet6 ssl readline
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
@@ -92,5 +87,9 @@ CONFIGURE_ARGS+=      --enable-dtrace
 INSTALL_MAKE_FLAGS+=   -r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+CFLAGS+=               -DDISABLE_FILTER_URL
+.endif
+
 DL_AUTO_VARS=          yes
 .include "../../mk/dlopen.buildlink3.mk"

Index: pkgsrc/lang/php70/distinfo
diff -u pkgsrc/lang/php70/distinfo:1.45 pkgsrc/lang/php70/distinfo:1.45.2.1
--- pkgsrc/lang/php70/distinfo:1.45     Thu Apr 26 15:46:57 2018
+++ pkgsrc/lang/php70/distinfo  Fri Aug 17 17:37:22 2018
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.45 2018/04/26 15:46:57 taca Exp $
+$NetBSD: distinfo,v 1.45.2.1 2018/08/17 17:37:22 bsiegert Exp $
 
-SHA1 (php-7.0.30.tar.bz2) = 774d76578f06e4acc035ed65692f7750f7d9c9b1
-RMD160 (php-7.0.30.tar.bz2) = f3bf11cfb9d02988d1458d9b30a223af3191e970
-SHA512 (php-7.0.30.tar.bz2) = 37b39b3163ad5c5f7d42e22bb5fe9d8708a0559add4f29624c4640c11ef0cbcdfe010cbf69032b741099c9d4f87c9878c19c1d2f3f98817271686aa177956002
-Size (php-7.0.30.tar.bz2) = 14641553 bytes
+SHA1 (php-7.0.31.tar.bz2) = 4da4e41b37445b0f5166df37583d23c78ca8e358
+RMD160 (php-7.0.31.tar.bz2) = f34a43e8809a25b0b8af78a62ab92d8f3012825e
+SHA512 (php-7.0.31.tar.bz2) = f496ca871245c0ddbbc848ad2c46d24e789c8cc3f1be489b87d25d353c5773ea9c54c2a54dfb2c4e9fc6b08cdf812305fa6bd0d80615f33f0db9d21edee3636b
+Size (php-7.0.31.tar.bz2) = 14641488 bytes
 SHA1 (patch-acinclude.m4) = 81a8f33a536500978ea5a9aa2d2875c61c843e56
 SHA1 (patch-configure) = 68ca63d7623feee2f12c9e1abacf4a5d7827d96c
+SHA1 (patch-disable-filter-url) = e9e92d686ddd1d1a1ece10fe4feee4e368fe510c
 SHA1 (patch-ext_gd_config.m4) = bde93678626592cdcee619189bfc6532d0913a76
 SHA1 (patch-ext_imap_config.m4) = f4e10ab81697b72019313f63bc630627a08efd92
 SHA1 (patch-ext_intl_config.m4) = 222e35fc2c3e9e559696293fdf66171f8abfca7f

Added files:

Index: pkgsrc/lang/php70/patches/patch-disable-filter-url
diff -u /dev/null pkgsrc/lang/php70/patches/patch-disable-filter-url:1.1.2.2
--- /dev/null   Fri Aug 17 17:37:22 2018
+++ pkgsrc/lang/php70/patches/patch-disable-filter-url  Fri Aug 17 17:37:22 2018
@@ -0,0 +1,34 @@
+$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 17:37:22 bsiegert Exp $
+
+Add build-time disable option for dangerous php://filter URL
+
+php://filter URL is a feature documented here:
+http://php.net/manual/en/wrappers.php.php
+
+Unfortunately, it allows remote control of include() behavior
+beyond what many developpers expected, enabling easy dump of
+PHP source files. The administrator may want to disable the
+feature for security sake, and this patch makes that possible.
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+                               "Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+                               "[%d]: %s", fildes_ori, errno, strerror(errno));
+                       return NULL;
+               }
++#ifndef DISABLE_FILTER_URL
+       } else if (!strncasecmp(path, "filter/", 7)) {
+               /* Save time/memory when chain isn't specified */
+               if (strchr(mode, 'r') || strchr(mode, '+')) {
+                       mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+               }
+               efree(pathdup);
+ 
+               return stream;
++#endif /* !DISABLE_FILTER_URL */
+       } else {
+               /* invalid php://thingy */
+               php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+               return NULL;