Since 2008 pcre is a hard-dependency of php:
aa64c6727c
Instead of optionally depending on the pcre2 package and building the
bundled pcre2 code of php in case BR2_PACKAGE_PCRE2 was not selected
we let php depend on pcre2.
While being at it rename the pcre-related configure option due to
upstream commit:
c1a22f3d4e
Fixes:
http://autobuild.buildroot.net/results/4a5/4a582af6b66c59a61b75a7047d8530202972ebdd/
because the pcre2 package already contains the fix for mips r6.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr: keep the JIT option]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
IV is actually used. This can lead to both decreased security and
incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
cookie values, the cookie names are url-decoded. This may lead to
cookies with prefixes like __Host confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. See also CVE-2020-8184 for more
information.
https://www.php.net/ChangeLog-7.php#7.4.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
hash extension can't be disabled since version 7.4.0 and
bf34442581
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
--with-libxml-dir has been dropped since version 7.4.0 and
29d1b7fd52
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
FFI support in php has been added with commit
e16f05c0f0, it depends on dynamic library
otherwise the build will fail on:
/home/buildroot/autobuild/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/5.5.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: ext/ffi/ffi.o: in function `zim_FFI_cdef':
ffi.c:(.text+0xe78): undefined reference to `DL_LOAD'
Fixes:
- http://autobuild.buildroot.org/results/3380b7b6777d1c5fcb53c855b003466fa3bf2079
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Changelog of this bugfix release:
https://www.php.net/ChangeLog-7.php#7.4.9
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Quoting https://www.php.net/
"For windows users running an official build, this release contains a
patched version of libcurl addressing CVE-2020-8159.
For all other consumers of PHP, this is a bug fix release."
Changelog: https://www.php.net/ChangeLog-7.php#7.4.8
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changelog: https://www.php.net/ChangeLog-7.php#7.4.7
Contrary to the release notification on the mailinglist
https://news-web.php.net/php.announce/287
which declares this release as "security bug fix release" no CVE IDs
could be found on the bugtracker entries mentioned in the Changelog.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Due to migration to pkg-config in php 7.4, the detection of
library dependencies has been changed.
source from php.net:
--with-gd becomes --enable-gd
--with-png-dir has been removed. libpng is required.
--with-zlib-dir has been removed. zlib is required.
--with-freetype-dir becomes --with-freetype
--with-jpeg-dir becomes --with-jpeg
Signed-off-by: Louis Aussedat <aussedat.louis@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
since php7.4, --enable-zip becomes --with-zip due to
migration to pkg-config.
Signed-off-by: Louis Aussedat <aussedat.louis@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The aarch64 compile uses the sys/auxv.h header which is not
provided by ulcibc-ng. Add configure.ac patch to check for
the header before using it in ext/standard/crc32.c.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12626
build/php-7.4.3/ext/standard/crc32.c:26:12: schwerwiegender Fehler: sys/auxv.h: Datei oder Verzeichnis nicht gefunden
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
A trailing whitespace was added by commit
26c16e9d5b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
patch 0005 has been sourced from upstream, and can be dropped when
7.4.3 is released.
The mbstrings module used to use a bundled oniguruma library, but now
uses an external one, hence the new dependency on this package for the
mbstrings module.
The hash of the license file has changed due to this change in the
copyright year:
-Copyright (c) 1999 - 2018 The PHP Group. All rights reserved.
+Copyright (c) 1999 - 2019 The PHP Group. All rights reserved.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the upstream php-fpm sample configuration is placed in
/etc/php-fpm.d/www.conf.default
in recent version of php, so adjust the build cleanup
accordingly
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[yann.morin.1998@free.fr: only remove the file, not the directory]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Release notes of this bugfix release:
https://www.php.net/ChangeLog-7.php#7.3.12
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To support using multiple php configuration files, we pass
--with-config-file-scan-dir=/etc/php.d. This allows to put snippets of
PHP configuration files in /etc/php.d.
For php option details see link at [1].
[1] https://www.php.net/manual/en/configuration.file.php
Signed-off-by: Dan Walkes <danwalkes@trellis-logic.com>
[Thomas: make it unconditional]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
... so we can drop all config options about it and previous versions.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Globally change Adam Duskett's email address to aduskett@gmail.com.
Note that one or two of the patches may have been applied upstream with
the old email address, but in that case those patches will anyway be
removed when bumping.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch adds ac_cv_have_pcre2_jit cache variable to avoid
the tests running on the host system during cross-compiling.
Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changelog: https://www.php.net/ChangeLog-7.php#7.3.4
Fixes these bugs, CVE-ID were not assigned yet:
Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s).
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3
Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rebased patch 0004.
This bump fixes https://bugs.php.net/bug.php?id=77369,
status of CVE-ID: needed
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2018-19935: Allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty string in the
message argument to the imap_mail function.
https://www.cvedetails.com/cve/CVE-2018-19935/
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php moved from pcre to pcre2 since bump to version 7.3 and
a5bc5aed71
This fixes a build failure: without this change, if BR2_PACKAGE_PCRE is
set, external pcre support in php is (wrongly) enabled with
--with-pcre-regex but because pcre2 was not found, php fallbacks on
built-in pcre2 without the "SLJIT_SINGLE_THREADED hack"
Fixes:
- http://autobuild.buildroot.org/results/40ef339019203d2cc49d388e222cf17c3ca37944
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 745f884e41.
This was the wrong fix: issue is that php moves from pcre to pcre2 since
version 7.3.0 and
a5bc5aed71
This patch will always disable external pcre2 support and raise a build
failure when toolchaine does not have pthread
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>