[php-maint] Re: packages for sarge?

Martin Schulze joey at infodrom.org
Thu Aug 25 09:19:18 UTC 2005 

Steve Langasek wrote:
> On Wed, Aug 24, 2005 at 06:44:33PM -0700, Steve Langasek wrote:
> > On Wed, Aug 24, 2005 at 06:51:47PM +0200, Martin Schulze wrote:
> > > Zoran Dzelajlija wrote:
> > > > CC-ing the security team as suggested on #debian.
> 
> > > > Explanation: this security related bug in XML_RPC, part of php4-pear
> > > > package, has been closed by an upload to unstable, but the version in
> > > > sarge is still affected.
> 
> > > > Quoting Zoran Dzelajlija (jelly at srce.hr):
> > > > > Hi, any word of a sarge release to cover CAN-2005-1921 and, to kill two
> > > > > flies, the new XML_RPC bug CAN-2005-2498?  I've applied Ubuntu's
> > > > > patches for both to a local build without much hassle...
> 
> > > > > Also, is there some user-friendly documentation aobut the new BTS
> > > > > features (found vs. tagging for sarge)?  Should this bug be reopened
> > > > > until sarge gets a fix for these vulnerabilities?
> 
> > > Are you able to extract a clean patch to fix the problem?  We may
> > > also need to update oldstable at the same time.
> 
> > I have a 4:4.3.10-16 for sarge here that includes cleanly separated patches
> > for the security bugs; packages will be available for download soon.
> > TTBOMK, woody did not include any XML_RPC PEAR code and so is not vulnerable
> > to those bugs, but I'll check it out to be sure.
> 
> Confirmed.  woody's version of php4-pear included XML/Parser, but not
> XML/RPC.  The php4-dev package does include shtool, so it may be vulnerable
> to 2005-1751; the patch for this is attached, in case you have a chance to
> roll it into a package before we do.

Done.

> Anyway, signed packages for sarge (4:4.3.10-16) are on their way up to
> <people.debian.org/~vorlon/php4/>.

Thanks a lot!

When I look at the diff:

--- php4-4.3.10/debian/rules
+++ php4-4.3.10/debian/rules
@@ -319,6 +319,10 @@
        chmod 755 $(CURDIR)/debian/php4-pear/usr/share/php/tests/DB/tests/driver/run.cvs
        chmod 755 $(CURDIR)/debian/php4-pear/usr/share/php/tests/DB/tests/run.cvs

+       # PEAR security patches
+       patch -p0 < debian/patches/PEAR-CAN_2005_1921_xmlrpc.nopatch
+       patch -p0 < debian/patches/PEAR-CAN_2005_2498_xmlrpc.nopatch
+
        # install extensions
        ext=`./debian/libapache-mod-php4/usr/bin/php-config --extension-dir`;\
        for i in libapache-mod-php4 libapache2-mod-php4 php4-cgi php4-cli; do \
only in patch2:

I wonder where php4-4.3.10/debian/patches/CAN-2005-1751-1759.patch
gets applied.

Hmm, maybe that's the regular debian/patches mechanism?  Then I'm
asking the other way round, why do you mix debian/patches/*.patch
and *.nopatch?  That will only make maintenance more difficult in
the future.

Regards,

	Joey

-- 
The MS-DOS filesystem is nice for removable media.  -- H. Peter Anvin

More information about the pkg-php-maint mailing list