CVS commit: [pkgsrc-2024Q1] pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Apr 22 12:49:08 UTC 2024

Modified Files:
        pkgsrc/lang/php [pkgsrc-2024Q1]: phpversion.mk
        pkgsrc/lang/php83 [pkgsrc-2024Q1]: distinfo
        pkgsrc/lang/php83/patches [pkgsrc-2024Q1]: patch-configure

Log Message:
Pullup ticket #6848 - requested by taca
lang/php83: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.428
- lang/php83/distinfo                                           1.6
- lang/php83/patches/patch-configure                            1.4

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sat Apr 13 02:51:54 UTC 2024

   Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php83: distinfo
        pkgsrc/lang/php83/patches: patch-configure

   Log Message:
   lang/php83: update to 8.3.5

   This release includes security fixes.

   11 Apr 2024, PHP 8.3.5

   - Core:
     . Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when
       scanning WeakMaps). (Arnaud)
     . Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
       (nielsdos)
     . Fixed bug GH-13446 (Restore exception handler after it finishes). (ilutov)
     . Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
     . Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
       destructor). (Arnaud)

   - DOM:
     . Add some missing ZPP checks. (nielsdos)
     . Fix potential memory leak in XPath evaluation results. (nielsdos)

   - FPM:
     . Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
       (Jakub Zelenka)
     . Fix incorrect check in fpm_shm_free(). (nielsdos)

   - GD:
     . Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)

   - Gettext:
     . Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5
       with category set to LC_ALL. (David Carlier)

   - MySQLnd:
     . Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
     . Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)

   - Opcache:
     . Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
       (Arnaud, Dmitry)
     . Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
       method of internal trait when opcache is loaded). (Bob)

   - Random:
     . Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
       modes). (timwolla)
     . Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
       requests when MT_RAND_PHP is used). (timwolla)

   - Session:
     . Fixed bug GH-13680 (Segfault with session_decode and compilation error).
       (nielsdos)

   - SPL:
     . Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)

   - Standard:
     . Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
     . Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
       (SakiTakamachi)
     . Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
       (divinity76)
     . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
       parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
     . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
       partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
     . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
       opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
       Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some
       inputs). (CVE-2024-2757) (Alex Dowad)


To generate a diff of this commit:
cvs rdiff -u -r1.426.2.1 -r1.426.2.2 pkgsrc/lang/php/phpversion.mk
cvs rdiff -u -r1.5 -r1.5.2.1 pkgsrc/lang/php83/distinfo
cvs rdiff -u -r1.3 -r1.3.2.1 pkgsrc/lang/php83/patches/patch-configure

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/php/phpversion.mk
diff -u pkgsrc/lang/php/phpversion.mk:1.426.2.1 pkgsrc/lang/php/phpversion.mk:1.426.2.2
--- pkgsrc/lang/php/phpversion.mk:1.426.2.1     Mon Apr 22 12:36:39 2024
+++ pkgsrc/lang/php/phpversion.mk       Mon Apr 22 12:49:08 2024
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.426.2.1 2024/04/22 12:36:39 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.426.2.2 2024/04/22 12:49:08 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP

Index: pkgsrc/lang/php83/distinfo
diff -u pkgsrc/lang/php83/distinfo:1.5 pkgsrc/lang/php83/distinfo:1.5.2.1
--- pkgsrc/lang/php83/distinfo:1.5      Sun Mar 17 16:48:19 2024
+++ pkgsrc/lang/php83/distinfo  Mon Apr 22 12:49:08 2024
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.5 2024/03/17 16:48:19 taca Exp $
+$NetBSD: distinfo,v 1.5.2.1 2024/04/22 12:49:08 bsiegert Exp $
 
-BLAKE2s (php-8.3.4.tar.xz) = 4502a9122864f77bc8f05f46717796f637fee78b002c5c10b179a01a332bc9ea
-SHA512 (php-8.3.4.tar.xz) = 7254421c57de6c8f9f84079212ead38b397e053ad2dc202bd4e0c9d63aa5d9884a6a856fb93fcdbc9e671051436814188439bc5de480979e53fdcb5488cdc321
-Size (php-8.3.4.tar.xz) = 12443980 bytes
-SHA1 (patch-configure) = c6c1657a10caeca4f9c2abf5e66f8fa16e5feca1
+BLAKE2s (php-8.3.5.tar.xz) = cf85b04006f4ac04268c3cf86f57e0be5800813accf93e10ae36842b642bb49f
+SHA512 (php-8.3.5.tar.xz) = 6ae60efe2e4df60bf217808cbd710fb3b71a4494de8ded8e0ae7ed9ad5f737fcb49acd004abcb2f7dfcc216108b39143e8094dc40096aefcce72a59b55d4c4bd
+Size (php-8.3.5.tar.xz) = 12461308 bytes
+SHA1 (patch-configure) = fdeb39ffcd2abd085c4cda6ced05de748b1a0a68
 SHA1 (patch-ext_enchant_enchant.c) = 7d999de1b2fde2ea11e4a6e16e7b59c085924b9b
 SHA1 (patch-ext_phar_Makefile.frag) = 53ea5c58b0bc27d236118d5750a74b1cba43e5dd
 SHA1 (patch-ext_standard_php__fopen__wrapper.c) = 0a2c19c18f089448a8d842e99738b292ab9e5640

Index: pkgsrc/lang/php83/patches/patch-configure
diff -u pkgsrc/lang/php83/patches/patch-configure:1.3 pkgsrc/lang/php83/patches/patch-configure:1.3.2.1
--- pkgsrc/lang/php83/patches/patch-configure:1.3       Sun Mar 17 16:48:19 2024
+++ pkgsrc/lang/php83/patches/patch-configure   Mon Apr 22 12:49:08 2024
@@ -1,12 +1,12 @@
-$NetBSD: patch-configure,v 1.3 2024/03/17 16:48:19 taca Exp $
+$NetBSD: patch-configure,v 1.3.2.1 2024/04/22 12:49:08 bsiegert Exp $
 
 * Do not include "PKG_CONFIG*" in CONFIGURE_OPTIONS.
 * Don't autodetect maintainer-zts.
 * Shell portability.
 
---- configure.orig     2024-03-12 23:42:26.000000000 +0000
+--- configure.orig     2024-04-09 21:35:09.000000000 +0000
 +++ configure
-@@ -3735,6 +3735,10 @@ EOF
+@@ -4326,6 +4326,10 @@ EOF
     else
      break
     fi
@@ -14,10 +14,10 @@ $NetBSD: patch-configure,v 1.3 2024/03/1
 +       \'PKG_CONFIG\=*)       CURRENT_ARG="'PKG_CONFIG=@TOOLS_PATH.pkg-config@'";;
 +       \'PKG_CONFIG_LIBDIR\=*)        CURRENT_ARG="'PKG_CONFIG_LIBDIR=@PHP_PKGCONFIG_PATH@'";;
 +   esac
-    $as_echo "$CURRENT_ARG \\" >>config.nice
+    printf "%s\n" "$CURRENT_ARG \\" >>config.nice
     CONFIGURE_OPTIONS="$CONFIGURE_OPTIONS $CURRENT_ARG"
    done
-@@ -7016,30 +7020,6 @@ EOF
+@@ -7548,30 +7552,6 @@ EOF
      ;;
    esac
  
@@ -42,18 +42,18 @@ $NetBSD: patch-configure,v 1.3 2024/03/1
 -
 -    fi
 -  fi
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
+-  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-printf "%s\n" "yes" >&6; }
 -
    PHP_VAR_SUBST="$PHP_VAR_SUBST APXS"
  
  else
-@@ -77760,7 +77740,7 @@ $as_echo "#define HAVE_TIDYBUFFIO_H 1" >
+@@ -80460,7 +80440,7 @@ printf "%s\n" "#define HAVE_TIDYBUFFIO_H
    fi
  
    TIDY_LIBDIR=$TIDY_DIR/$PHP_LIBDIR
 -  if test "$TIDY_LIB_NAME" == 'tidyp'; then
 +  if test "$TIDY_LIB_NAME" = 'tidyp'; then
  
- $as_echo "#define HAVE_TIDYP_H 1" >>confdefs.h
+ printf "%s\n" "#define HAVE_TIDYP_H 1" >>confdefs.h