commit: 9d0884c2742132467dce76b72e445ad62c14488d Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> AuthorDate: Fri Jun 7 14:37:10 2024 +0000 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> CommitDate: Fri Jun 7 14:37:10 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d0884c2
dev-lang/php: new security releases for all three series CVE-2024-4577, CVE-2024-5458, CVE-2024-5585, etc. Better to just read the ChangeLog: https://www.php.net/ChangeLog-8.php Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> dev-lang/php/Manifest | 5 +- .../php/{php-8.2.19.ebuild => php-8.1.29.ebuild} | 237 +++++++-------------- .../php/{php-8.2.19.ebuild => php-8.2.20.ebuild} | 0 .../php/{php-8.3.7-r1.ebuild => php-8.3.8.ebuild} | 0 4 files changed, 78 insertions(+), 164 deletions(-) diff --git a/dev-lang/php/Manifest b/dev-lang/php/Manifest index fc7eef5537a2..d558144544a8 100644 --- a/dev-lang/php/Manifest +++ b/dev-lang/php/Manifest @@ -1,6 +1,7 @@ DIST php-8.1.26.tar.xz 11809448 BLAKE2B e1d50f1de572580a207586b3c3b57081f7b9f1b680ffe8f9e82c88c9285af117dd7e9e2576fcb13119176cb9cd02b39481b6f40e9a1df81aa90b8c4d3e59e4b1 SHA512 5bc40077e57c0fccdf17810d688baea416f22ac248bb01b73d2e2590fc4cfabc7001c1c3833281a60870c74178f7b06cbc85474eba695aabf969ad0081a98417 DIST php-8.1.28.tar.xz 11848504 BLAKE2B a5deb596176bcd69c33f239e752ac75e2da1538efe6d2b321802c50ea250214c6d9b59e8a5cb74f97f37c917159ef4fde4ccda4403d6e0a6fe751a19b7687472 SHA512 d56ecac164e00e9514cd3c6c8c453598b323118dc7d7ae7cc14ba0847d50a2e455b2391f52e0d81af325b02d8f73a7d2ed66bf66d068dac4a496d777c83a398f +DIST php-8.1.29.tar.xz 11826292 BLAKE2B 471f85504531c61e534c857a854de2ce9935b263e002deee19c4508390f6b2a11f89a02f55a90d660ee8d537b22a45db057e24373fb17fd2edf45f6e458f0196 SHA512 fd4f75224f71111a4cc40b3015ae70ac57a623326a3299da9ab8bd9dfad4ea27ff345d0eb75f1407d183207e763d372d738bbd8d217d01ec1414d29a547e8ba7 DIST php-8.2.15.tar.xz 12075384 BLAKE2B cef15868968538e232093bd66d862a88f0960325f2274eaf53a3d114d01787c58844aa3bce8bc09a723acd95801e1935a60e79fc189317e7f1ba19196dbfcdc4 SHA512 56c94bcafe07cf4bf5eb5fc6c67fcf16654c44a262ffb18188fc3ffac5e9bb11d39093bfb26c26bc8d2dec7e530d1a175180909262c9b5c30130cf5a4a293166 DIST php-8.2.18.tar.xz 12089400 BLAKE2B 82a4ef0aee7fa66018cb528e6fc2da40f67be2a75449ed85c54881e6725cfa9fe82d6d5655c12d2e92f3fd685479367b7c038df5af0d7a0a122d627c78c50514 SHA512 8bdd6e5aa19dac80745d258a43f7330a3096d47dc66cbef0054b8f9eb9ace5e87d841a4001185a783241a416975753c922425e977f50b2716ce643b6a7bf351f -DIST php-8.2.19.tar.xz 12094184 BLAKE2B ef599fc9faba7137eccd1ad48157ece57f5449c7afbb406e5a3dcda6ae95ef37fe3ffb4e6c60f9d113be144a7ef5305f8c772c7b550c733a0df2a1f51e8c5f0a SHA512 5ba7ab4317f7880a6cea93bf6d3a48d62db6bfcb5682be7e13a6a6f7bd1fef96ca813c2cf95f6b5020756f03b298995d1722367adb2580c1db221a2f9e311038 -DIST php-8.3.7.tar.xz 12456020 BLAKE2B 065b49fbfcf543a14dfbf1bef1b710f241f8a36df9c45518d5ba786ef9c0c0fa0a495974cc69b2d8369e5398844e299d5b6ca2a3d246be9b5ff7edc9fdb2dc85 SHA512 ff2c16a5cc08b1a59a61eee9df75c4c9a6dda7054d48198b75d104c194e934109fed3665005ba798eeca3d7294d7dc81df3a14e63a527baf9f196e229068d9a3 +DIST php-8.2.20.tar.xz 12097568 BLAKE2B 1e38e48ea9c28abfe2c3bd860bc5d959fbe327669c007f2e2a665ae14f5a045f6ad8a0a972f32618f88ea1ff3636c2692504478b5b094b48404d6c4a214f863b SHA512 c659ed4809b6507aa428b483c85c7322815ac9d7d8e4bfe575513a5e69c5a680b8d089fd98a19f83d3a00df3de61468809f21408455913aa24d519776e44abc5 +DIST php-8.3.8.tar.xz 12480896 BLAKE2B 477129fcd766f2235e3d776c923ba51b76539f074245e8041a861db09ebbc648658b2756e6a23051a75a512fdc6e5c129633d1471213dec6f7e24d4da0d317e8 SHA512 1a2840f0b5dcbea6dfcc3894cb9e38d103bf4110c1b956438199deee0b60e5ae63cce34be25ca6f03ac8d26581a852657f8800f92fefe38345e20443b646bb3e diff --git a/dev-lang/php/php-8.2.19.ebuild b/dev-lang/php/php-8.1.29.ebuild similarity index 77% copy from dev-lang/php/php-8.2.19.ebuild copy to dev-lang/php/php-8.1.29.ebuild index 1979464f2d5e..f434f0df4366 100644 --- a/dev-lang/php/php-8.2.19.ebuild +++ b/dev-lang/php/php-8.1.29.ebuild @@ -31,7 +31,7 @@ IUSE="${IUSE} threads" IUSE="${IUSE} acl apparmor argon2 avif bcmath berkdb bzip2 calendar - cdb cjk +ctype curl debug + cdb cjk coverage +ctype curl debug enchant exif ffi +fileinfo +filter firebird +flatfile ftp gd gdbm gmp +iconv imap inifile intl iodbc ipv6 +jit kerberos ldap ldap-sasl libedit lmdb @@ -39,8 +39,8 @@ IUSE="${IUSE} acl apparmor argon2 avif bcmath berkdb bzip2 calendar oci8-instant-client odbc +opcache pcntl pdo +phar +posix postgres qdbm readline selinux +session session-mm sharedmem +simplexml snmp soap sockets sodium spell sqlite ssl - sysvipc systemd test tidy +tokenizer tokyocabinet truetype unicode - valgrind webp +xml xmlreader xmlwriter xpm xslt zip zlib" + sysvipc systemd test tidy +tokenizer tokyocabinet truetype unicode webp + +xml xmlreader xmlwriter xpm xslt zip zlib" # Without USE=readline or libedit, the interactive "php -a" CLI will hang. # The Oracle instant client provides its own incompatible ldap library. @@ -67,7 +67,6 @@ REQUIRED_USE=" mysql? ( || ( mysqli pdo ) ) firebird? ( pdo ) mssql? ( pdo ) - test? ( cli ) " RESTRICT="!test? ( test )" @@ -79,13 +78,14 @@ COMMON_DEPEND=" >=app-eselect/eselect-php-0.9.7[apache2?,fpm?] >=dev-libs/libpcre2-10.30[jit?,unicode] virtual/libcrypt:= - fpm? ( acl? ( sys-apps/acl ) apparmor? ( sys-libs/libapparmor ) selinux? ( sys-libs/libselinux ) ) + fpm? ( acl? ( sys-apps/acl ) apparmor? ( sys-libs/libapparmor ) ) apache2? ( www-servers/apache[apache2_modules_unixd(+),threads=] ) argon2? ( app-crypt/argon2:= ) avif? ( media-libs/libavif:= ) berkdb? ( || ( sys-libs/db:5.3 sys-libs/db:4.8 ) ) bzip2? ( app-arch/bzip2:0= ) cdb? ( || ( dev-db/cdb dev-db/tinycdb ) ) + coverage? ( dev-util/lcov ) curl? ( >=net-misc/curl-7.29.0 ) enchant? ( app-text/enchant:2 ) ffi? ( >=dev-libs/libffi-3.0.11:= ) @@ -118,7 +118,6 @@ COMMON_DEPEND=" tokyocabinet? ( dev-db/tokyocabinet ) truetype? ( =media-libs/freetype-2* ) unicode? ( dev-libs/oniguruma:= ) - valgrind? ( dev-debug/valgrind ) webp? ( media-libs/libwebp:0= ) xml? ( >=dev-libs/libxml2-2.9.0 ) xpm? ( x11-libs/libXpm ) @@ -149,10 +148,12 @@ PHP_MV="$(ver_cut 1)" PATCHES=( "${FILESDIR}/php-iodbc-header-location.patch" "${FILESDIR}/php-capstone-optional.patch" - "${FILESDIR}/php-8.2.8-openssl-tests.patch" + "${FILESDIR}/php-8.1.27-gcc14-libxml.patch" + "${FILESDIR}/php-8.1.27-implicit-decls.patch" + "${FILESDIR}/fix-musl-llvm.patch" ) -# ARM/Windows functions (bug 923335) +# ARM/Windows functions that are expected to be undefined. QA_CONFIG_IMPL_DECL_SKIP=( __crc32d _controlfp @@ -239,120 +240,29 @@ src_prepare() { eautoconf --force eautoheader - # missing skipif; fixed upstream already - rm sapi/cgi/tests/005.phpt || die - - # These three get BORKED on no-ipv6 systems, - # - # https://github.com/php/php-src/pull/11651 - # - rm ext/sockets/tests/mcast_ipv6_recv.phpt \ - ext/sockets/tests/mcast_ipv6_recv_limited.phpt \ - ext/sockets/tests/mcast_ipv6_send.phpt \ - || die - - # fails in a network sandbox, - # - # https://github.com/php/php-src/issues/11662 - # - rm ext/sockets/tests/bug63000.phpt || die - - # expected output needs to be updated, - # - # https://github.com/php/php-src/pull/11648 - # - rm ext/dba/tests/dba_tcadb.phpt || die - - # Two IMAP tests missing SKIPIFs, - # - # https://github.com/php/php-src/pull/11654 - # - rm ext/imap/tests/imap_mutf7_to_utf8.phpt \ - ext/imap/tests/imap_utf8_to_mutf7_basic.phpt \ - || die - - # broken upstream with icu-73.x, - # - # https://github.com/php/php-src/issues/11128 - # - rm ext/intl/tests/calendar_clear_variation1.phpt || die - - # overly sensitive to INI values; fixes sent upstream: - # - # https://github.com/php/php-src/pull/11631 - # - rm ext/session/tests/{bug74514,bug74936,gh7787}.phpt || die - - # This is sensitive to the current "nice" level: - # - # https://github.com/php/php-src/issues/11630 - # - rm ext/standard/tests/general_functions/proc_nice_basic.phpt || die - - # Tests ignoring the "-n" flag we pass to run-tests.php, - # - # https://github.com/php/php-src/pull/11669 - # - rm ext/standard/tests/file/bug60120.phpt \ - ext/standard/tests/general_functions/proc_open_null.phpt \ - ext/standard/tests/general_functions/proc_open_redirect.phpt \ - ext/standard/tests/general_functions/proc_open_sockets1.phpt \ - ext/standard/tests/general_functions/proc_open_sockets2.phpt \ - ext/standard/tests/general_functions/proc_open_sockets3.phpt \ - ext/standard/tests/ini_info/php_ini_loaded_file.phpt \ - sapi/cli/tests/016.phpt \ - sapi/cli/tests/023.phpt \ - sapi/cli/tests/bug65275.phpt \ - sapi/cli/tests/bug74600.phpt \ - sapi/cli/tests/bug78323.phpt \ - || die - - # Same TEST_PHP_EXTRA_ARGS (-n) issue with this one, but it's - # already been fixed upstream. - rm sapi/cli/tests/017.phpt || die - - # Most Oracle tests are borked, - # - # * https://github.com/php/php-src/issues/11804 - # * https://github.com/php/php-src/pull/11820 - # * https://github.com/php/php-src/issues/11819 - # - rm ext/oci8/tests/*.phpt || die - - # https://github.com/php/php-src/issues/12801 - rm ext/pcre/tests/gh11374.phpt || die - - # This is a memory usage test with hard-coded limits. Whenever the - # limits are surpassed... they get increased... but in the meantime, - # the tests fail. This is not really a test that end users should - # be running pre-install, in my opinion. Bug 927461. - rm ext/fileinfo/tests/bug78987.phpt || die - - # glibc-2.39 compatibility, fixed upstream in - # https://github.com/php/php-src/pull/14097 - rm ext/standard/tests/strings/setlocale_variation3.phpt || die - - # The expected warnings aren't triggered in this test because we - # define session.save_path on the CLI: - # - # https://github.com/php/php-src/issues/14368 - # - rm ext/session/tests/gh13856.phpt || die + # Remove false positive test failures + # stream_isatty fails due to portage redirects + # curl tests here fail for network sandbox issues + # session tests here fail because we set the session directory to $T + rm tests/output/stream_isatty_err.phpt \ + tests/output/stream_isatty_out-err.phpt \ + tests/output/stream_isatty_out.phpt \ + ext/curl/tests/bug76675.phpt \ + ext/curl/tests/bug77535.phpt \ + ext/curl/tests/curl_error_basic.phpt \ + ext/session/tests/bug74514.phpt \ + ext/session/tests/bug74936.phpt \ + ext/fileinfo/tests/bug78987.phpt || die } src_configure() { addpredict /usr/share/snmp/mibs/.index #nowarn addpredict /var/lib/net-snmp/mib_indexes #nowarn - # https://bugs.gentoo.org/866683, https://bugs.gentoo.org/913527 - filter-lto - PHP_DESTDIR="${EPREFIX}/usr/$(get_libdir)/php${SLOT}" - # Don't allow ./configure to detect and use an existing version - # of PHP; this can lead to all sorts of weird unpredictability - # as in bug 900210. - export ac_cv_prog_PHP="" + # https://bugs.gentoo.org/866683, https://bugs.gentoo.org/913527 + filter-lto # The php-fpm config file wants localstatedir to be ${EPREFIX}/var # and not the Gentoo default ${EPREFIX}/var/lib. See bug 572002. @@ -365,7 +275,6 @@ src_configure() { --localstatedir="${EPREFIX}/var" --without-pear --without-valgrind - --with-external-libcrypt $(use_enable threads zts) ) @@ -380,6 +289,7 @@ src_configure() { $(use_enable bcmath) $(use_with bzip2 bz2 "${EPREFIX}/usr") $(use_enable calendar) + $(use_enable coverage gcov) $(use_enable ctype) $(use_with curl) $(use_enable xml dom) @@ -406,7 +316,6 @@ src_configure() { $(use_enable opcache) $(use_with postgres pgsql "${EPREFIX}/usr") $(use_enable posix) - $(use_with selinux fpm-selinux) $(use_with spell pspell "${EPREFIX}/usr") $(use_enable simplexml) $(use_enable sharedmem shmop) @@ -427,7 +336,6 @@ src_configure() { $(use_with zip) $(use_with zlib zlib "${EPREFIX}/usr") $(use_enable debug) - $(use_with valgrind) ) # DBA support @@ -476,7 +384,7 @@ src_configure() { fi # MySQL support - our_conf+=( $(use_with mysqli) ) + our_conf+=( $(use_with mysqli mysqli "mysqlnd") ) local mysqlsock="${EPREFIX}/var/run/mysqld/mysqld.sock" if use mysql || use mysqli ; then @@ -556,16 +464,9 @@ src_configure() { # Support the Apache2 extras, they must be set globally for all # SAPIs to work correctly, especially for external PHP extensions - # Create separate build trees for each enabled SAPI. The upstream - # build system doesn't do this, but we have to do it to use a - # different php.ini for each SAPI (see --with-config-file-path and - # --with-config-file-scan-dir below). The path winds up define'd - # in main/build-defs.h which is included in main/php.h which is - # included by basically everything; so, avoiding a rebuild after - # changing it is not an easy job. local one_sapi local sapi - mkdir "${WORKDIR}/sapis-build" || die + mkdir -p "${WORKDIR}/sapis-build" || die for one_sapi in $SAPIS ; do use "${one_sapi}" || continue php_set_ini_dir "${one_sapi}" @@ -575,6 +476,7 @@ src_configure() { # based on the autotools-utils eclass. BUILD_DIR="${WORKDIR}/sapis-build/${one_sapi}" cp -a "${S}" "${BUILD_DIR}" || die + cd "${BUILD_DIR}" || die local sapi_conf=( --with-config-file-path="${PHP_INI_DIR}" @@ -613,7 +515,6 @@ src_configure() { myeconfargs+=( "${sapi_conf[@]}" ) pushd "${BUILD_DIR}" > /dev/null || die - einfo "Running econf in ${BUILD_DIR}" econf "${myeconfargs[@]}" popd > /dev/null || die done @@ -624,20 +525,13 @@ src_compile() { addpredict /usr/share/snmp/mibs/.index #nowarn addpredict /var/lib/net-snmp/mib_indexes #nowarn - if use oci8-instant-client && use kerberos && use imap && use phar; then - # A conspiracy takes place when the first three of these flags - # are set together, causing the newly-built "php" to open - # /dev/urandom with mode rw when it starts. That's not actually - # a problem... unless you also have USE=phar, which runs that - # "php" to build some phar thingy in src_compile(). Later in - # src_test(), portage (at least) sets "addpredict /" so the - # problem does not repeat. - addpredict /dev/urandom #nowarn - fi - local sapi for sapi in ${SAPIS} ; do - use "${sapi}" && emake -C "${WORKDIR}/sapis-build/${sapi}" + if use "${sapi}"; then + cd "${WORKDIR}/sapis-build/$sapi" || \ + die "Failed to change dir to ${WORKDIR}/sapis-build/$1" + emake + fi done } @@ -760,13 +654,14 @@ src_install() { } src_test() { - export TEST_PHP_EXECUTABLE="${WORKDIR}/sapis-build/cli/sapi/cli/php" - - # Sometimes when the sub-php launches a sub-sub-php, it uses these. - # Without an "-n" in all instances, the *live* php.ini can be loaded, - # pulling in *live* zend extensions. And those can be incompatible - # with the thing we just built. - export TEST_PHP_EXTRA_ARGS="-n" + echo ">>> Test phase [test]: ${CATEGORY}/${PF}" + PHP_BIN="${WORKDIR}/sapis-build/cli/sapi/cli/php" + if [[ ! -x "${PHP_BIN}" ]] ; then + ewarn "Test phase requires USE=cli, skipping" + return + else + export TEST_PHP_EXECUTABLE="${PHP_BIN}" + fi if [[ -x "${WORKDIR}/sapis-build/cgi/sapi/cgi/php-cgi" ]] ; then export TEST_PHP_CGI_EXECUTABLE="${WORKDIR}/sapis-build/cgi/sapi/cgi/php-cgi" @@ -776,22 +671,40 @@ src_test() { export TEST_PHPDBG_EXECUTABLE="${WORKDIR}/sapis-build/phpdbg/sapi/phpdbg/phpdbg" fi - # The sendmail override prevents ext/imap/tests/bug77020.phpt from - # actually trying to send mail, and will be fixed upstream soon: - # - # https://github.com/php/php-src/issues/11629 - # - # The IO capture tests need to be disabled because they fail when - # std{in,out,err} are redirected (as they are within portage). - # - # One -n applies to the top-level "php", while the other applies - # to any sub-php that get invoked by the test runner. - SKIP_IO_CAPTURE_TESTS=1 SKIP_PERF_SENSITIVE=1 REPORT_EXIT_STATUS=1 \ - "${TEST_PHP_EXECUTABLE}" -n \ - "${WORKDIR}/sapis-build/cli/run-tests.php" --offline -n -q \ - -d "session.save_path=${T}" \ - -d "sendmail_path=echo >/dev/null" \ - || die "tests failed" + SKIP_ONLINE_TESTS=1 REPORT_EXIT_STATUS=1 "${TEST_PHP_EXECUTABLE}" -n -d \ + "session.save_path=${T}" \ + "${WORKDIR}/sapis-build/cli/run-tests.php" -n -q -d \ + "session.save_path=${T}" + + for name in ${EXPECTED_TEST_FAILURES}; do + mv "${name}.out" "${name}.out.orig" 2>/dev/null || die + done + + local failed="$(find -name '*.out')" + if [[ ${failed} != "" ]] ; then + ewarn "The following test cases failed unexpectedly:" + for name in ${failed}; do + ewarn " ${name/.out/}" + done + else + einfo "No unexpected test failures, all fine" + fi + + if [[ ${PHP_SHOW_UNEXPECTED_TEST_PASS} == "1" ]] ; then + local passed="" + for name in ${EXPECTED_TEST_FAILURES}; do + [[ -f "${name}.diff" ]] && continue + passed="${passed} ${name}" + done + if [[ ${passed} != "" ]] ; then + einfo "The following test cases passed unexpectedly:" + for name in ${passed}; do + ewarn " ${passed}" + done + else + einfo "None of the known-to-fail tests passed, all fine" + fi + fi } pkg_postinst() { diff --git a/dev-lang/php/php-8.2.19.ebuild b/dev-lang/php/php-8.2.20.ebuild similarity index 100% rename from dev-lang/php/php-8.2.19.ebuild rename to dev-lang/php/php-8.2.20.ebuild diff --git a/dev-lang/php/php-8.3.7-r1.ebuild b/dev-lang/php/php-8.3.8.ebuild similarity index 100% rename from dev-lang/php/php-8.3.7-r1.ebuild rename to dev-lang/php/php-8.3.8.ebuild
