buildroot/package/php, branch 2019.02-op-build

package/php: security bump to version 7.3.3

2019-03-25T16:38:51+00:00

php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3 Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the flock detection has been removed since commit 9222702633 (Avoid dependency on "struct flock" fields order.) Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit b821ae3d63440258808e413b1ace53639066046a) Signed-off-by: Peter Korsgaard

package/php: security bump to version 7.3.2

2019-02-10T09:48:51+00:00

Rebased patch 0004. This bump fixes https://bugs.php.net/bug.php?id=77369, status of CVE-ID: needed Signed-off-by: Bernd Kuhls Signed-off-by: Peter Korsgaard

unixodbc: needs dynamic library

2019-01-19T21:40:18+00:00

Fixes: - http://autobuild.buildroot.org/results/1036ee061ce7f7747d5514c61866da60bcfae769 Signed-off-by: Fabrice Fontaine [Peter: propagate to PHP_EXT_PDO_UNIXODBC as well] Signed-off-by: Peter Korsgaard

php: security bump to 7.3.1

2019-01-19T21:34:19+00:00

Fixes the following security issue: - CVE-2018-19935: Allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function. https://www.cvedetails.com/cve/CVE-2018-19935/ Signed-off-by: Adam Duskett Signed-off-by: Peter Korsgaard

php: switch to pcre2

2019-01-19T21:33:57+00:00

php moved from pcre to pcre2 since bump to version 7.3 and http://github.com/php/php-src/commit/a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d This fixes a build failure: without this change, if BR2_PACKAGE_PCRE is set, external pcre support in php is (wrongly) enabled with --with-pcre-regex but because pcre2 was not found, php fallbacks on built-in pcre2 without the "SLJIT_SINGLE_THREADED hack" Fixes: - http://autobuild.buildroot.org/results/40ef339019203d2cc49d388e222cf17c3ca37944 Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard

Revert "package/php: fix building pcre extension"

2019-01-19T21:33:43+00:00

This reverts commit 745f884e41b5f350296e8448f5fc31d20f67a077. This was the wrong fix: issue is that php moves from pcre to pcre2 since version 7.3.0 and http://github.com/php/php-src/commit/a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d This patch will always disable external pcre2 support and raise a build failure when toolchaine does not have pthread Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard

package/php: fix building pcre extension

2019-01-10T22:03:38+00:00

The configure option "--with-pcre-regex=$(STAGING_DIR)/usr" is broken. PHP will prepend $(STAGING_DIR)/usr to the paths, which will cause a failure because it won't be able to find pcre, and will then fallback to searching for pcre2, which won't be installed. Removing "=$(STAGING_DIR)/usr" from --with-pcre-regex fixes the issue. Fixes: http://autobuild.buildroot.net/results/586/586f56e8fcf2d2bbbd3bdf69b1c3befff7ce8bbf Signed-off-by: Adam Duskett Tested-by: Mark Corbin Signed-off-by: Arnout Vandecappelle (Essensium/Mind)

package/php: bump version to 7.3.0

2018-12-28T13:04:00+00:00

Other changes: - Update patches so they cleanly apply. - Remove patch 5, as it no longer applies. - Remove conf env option ac_cv_func_strcasestr=yes because of the above. - libzip is no longer bundled with php, because of this, libzip must now be selected and depended on if the zip extension is selected. Signed-off-by: Adam Duskett Signed-off-by: Thomas Petazzoni

package/php: fix building curl extension

2018-12-28T12:53:07+00:00

The configure option "--with-curl=$(STAGING_DIR)/usr" is broken. PHP will detect libcurl.pc, which will pass the configure checks, but will then prepend $(STAGING_DIR)/usr to the paths in libcurl.pc. Thus php will then search $(STAGING_DIR)/usr/$(STAGING_DIR)/usr/lib/ for curl libraries during linking, which causes linking errors. Removing "=$(STAGING_DIR)/usr" from --with-curl fixes the issue. Fixes: http://autobuild.buildroot.net/results/44b9ea1edca85b222a117a8e241a26b8dce33929/ Signed-off-by: Adam Duskett Signed-off-by: Thomas Petazzoni

php: security bump to version 7.2.13

2018-12-08T09:55:53+00:00

Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument. Signed-off-by: Peter Korsgaard