Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

php: Fix CVE-2018-17082 (release-18.09) #50505

Closed
wants to merge 1 commit into from
Closed

php: Fix CVE-2018-17082 (release-18.09) #50505

wants to merge 1 commit into from

Conversation

Ekleog
Copy link
Member

@Ekleog Ekleog commented Nov 17, 2018
edited

php: 7.2.10 -> 7.2.12, 7.1.22 -> 7.1.24

Also make Darwin align itself to Linux versions, due to CVE-2018-17082 forcing our hand on this. This means Darwin must compile without intl.

Based on commit 2833966, with the change that here we refuse to build if the user doesn't manually disable intl.

See [1] for the reasoning.

[1] #50511 (comment)

Motivation for this change
Things done

Tested with echo '<?php echo "hi\na\n";' | ./result/bin/php with both php71 and php72

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@timokau
Copy link
Member

timokau commented Nov 17, 2018

@GrahamcOfBorg build php71 php72
@GrahamcOfBorg test owncloud elk

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/fqm2x6kiay1q4vg7pqp4wp17bdijlyc3-bash-4.4-p23/bin/sh"
/nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/fqm2x6kiay1q4vg7pqp4wp17bdijlyc3-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12...
moving /nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12/sbin/* to /nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/dvx6nsvir2imrkwrn44hqg71h3i3vkyf-php-7.2.12-dev
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/dvx6nsvir2imrkwrn44hqg71h3i3vkyf-php-7.2.12-dev
checking for references to /build in /nix/store/dvx6nsvir2imrkwrn44hqg71h3i3vkyf-php-7.2.12-dev...
/nix/store/yspq8pl08lhyvp5x8ppzakbnanqp4jn0-php-7.1.24
/nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web: exit status 1
syncing
web: running command: sync
web: exit status 0
test script finished in 46.87s
cleaning up
killing web (pid 631)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/lxdc15xfk69r3k7ny0dww50my0wx1jbl-vm-test-run-owncloud

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: php71, php72

Partial log (click to expand)

/private/tmp/nix-build-php-7.2.12.drv-0/php-7.2.12/main/php_config.h:2625:24: note: expanded from macro 'zend_finite'
#define zend_finite(a) finite(a)
                       ^
/nix/store/qjmqrzk8nhn5maa093fhl3finczz72lw-libc++-5.0.2/include/c++/v1/math.h:439:1: note: 'isfinite' declared here
isfinite(_A1 __lcpp_x) _NOEXCEPT
^
2 errors generated.
make: *** [Makefile:1167: ext/intl/intl_convertcpp.lo] Error 1
builder for '/nix/store/s5k5l4c4m4fbzhvma5n65m851406w719-php-7.2.12.drv' failed with exit code 2
error: build of '/nix/store/afj6qpnpazyzw78z1vib9fl7dczx4hik-php-7.1.24.drv', '/nix/store/s5k5l4c4m4fbzhvma5n65m851406w719-php-7.2.12.drv' failed

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web: exit status 1
syncing
web: running command: sync
web: exit status 0
test script finished in 36.51s
cleaning up
killing web (pid 597)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/hmhnr8pmww9yjj9hpa28qc1ahpzs0wz9-vm-test-run-owncloud

@Ekleog Ekleog force-pushed the php-cve-2018-17082-18.09 branch 2 times, most recently from ae66a1b to 6ac0fda Compare November 17, 2018 15:46
@Ekleog Ekleog changed the title WIP: php: Fix CVE-2018-17082 php: Fix CVE-2018-17082 Nov 17, 2018
@Ekleog
Copy link
Member Author

Ekleog commented Nov 17, 2018

This is now a backport of #50511, with intl disabled on darwin to a priori work around the issue.

@Ekleog Ekleog changed the title php: Fix CVE-2018-17082 php: Fix CVE-2018-17082 (release-18.09) Nov 17, 2018
@Ekleog Ekleog mentioned this pull request Nov 17, 2018
Closed
9 tasks
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12/bin/peardev: interpreter directive changed from "/bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
/nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12/bin/pecl: interpreter directive changed from "/bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12...
moving /nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12/sbin/* to /nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/89an60y5qc3pz02b5xk0z4jqspzgjz8k-php-7.2.12-dev
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/89an60y5qc3pz02b5xk0z4jqspzgjz8k-php-7.2.12-dev
checking for references to /build in /nix/store/89an60y5qc3pz02b5xk0z4jqspzgjz8k-php-7.2.12-dev...
/nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24
/nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12

@Ekleog Ekleog mentioned this pull request Nov 17, 2018
Closed
1 task
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12

@timokau
Copy link
Member

timokau commented Nov 17, 2018

@GrahamcOfBorg build php71 php72
@GrahamcOfBorg test owncloud elk

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/yspq8pl08lhyvp5x8ppzakbnanqp4jn0-php-7.1.24
/nix/store/3ra8ml2afilrmay5x0b77vy8x2l279bb-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web: exit status 1
syncing
web: running command: sync
web: exit status 0
test script finished in 46.54s
cleaning up
killing web (pid 631)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/0sr45z4b20qfiya6422pm465mw0d3xx8-vm-test-run-owncloud

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24/lib/build/shtool: interpreter directive changed from "/bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
/nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24/lib/build/config.sub: interpreter directive changed from " /bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24...
moving /nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24/sbin/* to /nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/1sgzp1h0asmbc6g9xqdh6s3n6nq104x3-php-7.1.24-dev
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/1sgzp1h0asmbc6g9xqdh6s3n6nq104x3-php-7.1.24-dev
checking for references to /build in /nix/store/1sgzp1h0asmbc6g9xqdh6s3n6nq104x3-php-7.1.24-dev...
/nix/store/dw7qpindd3wg5ppysg3j1zf0pzmsy09p-php-7.1.24
/nix/store/rmp83yhvlllmrqicsd6zhhvi2i9a110i-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/cblfnvb5rmhd2z231mqasn0brzh1hhv4-bash-4.4-p23/bin/sh"
/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/cblfnvb5rmhd2z231mqasn0brzh1hhv4-bash-4.4-p23/bin/sh"
/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/lib/build/config.guess: interpreter directive changed from " /bin/sh" to "/nix/store/cblfnvb5rmhd2z231mqasn0brzh1hhv4-bash-4.4-p23/bin/sh"
/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/lib/build/config.sub: interpreter directive changed from " /bin/sh" to "/nix/store/cblfnvb5rmhd2z231mqasn0brzh1hhv4-bash-4.4-p23/bin/sh"
/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/lib/build/shtool: interpreter directive changed from "/bin/sh" to "/nix/store/cblfnvb5rmhd2z231mqasn0brzh1hhv4-bash-4.4-p23/bin/sh"
moving /nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/sbin/* to /nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12/bin
strip is /nix/store/df6k4mgdjxciy0f637lryp7c9ln7n1m3-cctools-binutils-darwin/bin/strip
patching script interpreter paths in /nix/store/ssl4pbmy9hq1s00dnbpk8gy4hkxzghzy-php-7.2.12-dev
/nix/store/zkf3k16l1wv87rzk2qqjfdvswyaarfg8-php-7.1.24
/nix/store/yjhlw50ghvhsb7v3safc2anzkrkhgnv1-php-7.2.12

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: tests.owncloud, tests.elk

Partial log (click to expand)

web# [  378.675047] systemd[1]: Starting Apache HTTPD...
web: exit status 0
error: unit ‘postgresql’ reached state ‘failed’
unit ‘postgresql’ reached state ‘failed’
cleaning up
killing web (pid 600)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
builder for '/nix/store/ag0m16pp2abispfnv21h4c9ciazfp9in-vm-test-run-owncloud.drv' failed with exit code 255
error: build of '/nix/store/ag0m16pp2abispfnv21h4c9ciazfp9in-vm-test-run-owncloud.drv' failed

@Ekleog
Copy link
Member Author

Ekleog commented Nov 18, 2018

@timokau Thank you for the test! So the error on x86_64 is likely not a problem, it's postgresql failing to start, so very unlikely to be caused by this PR (unless postgresql depends on php somehow) :)

So I guess that's waiting on the discussion from #50511

@Ekleog
php: 7.2.10 -> 7.2.12, 7.1.22 -> 7.1.24
c36ade1 
Also make Darwin align itself to Linux versions, due to CVE-2018-17082
forcing our hand on this. This means Darwin must compile without intl.

Based on commit 283396658a69f5a4ed3d832bc849c53fa8e05ce1, with the
change that here we refuse to build if the user doesn't manually disable
intl.

See [1] for the reasoning.

[1] NixOS#50511 (comment)
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12/bin/pear: interpreter directive changed from "/bin/sh" to "/nix/store/fqm2x6kiay1q4vg7pqp4wp17bdijlyc3-bash-4.4-p23/bin/sh"
/nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/fqm2x6kiay1q4vg7pqp4wp17bdijlyc3-bash-4.4-p23/bin/sh"
/nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/fqm2x6kiay1q4vg7pqp4wp17bdijlyc3-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12...
moving /nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12/sbin/* to /nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/v2xjndcy1h6v7l5lkm79217mnc9qy0ch-php-7.2.12-dev
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/v2xjndcy1h6v7l5lkm79217mnc9qy0ch-php-7.2.12-dev
checking for references to /build in /nix/store/v2xjndcy1h6v7l5lkm79217mnc9qy0ch-php-7.2.12-dev...
/nix/store/4gskpp3jvc3ykpcv2zks1l6f5hgwzv3p-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php

Partial log (click to expand)

/nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12/lib/build/config.guess: interpreter directive changed from " /bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
/nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12/lib/build/shtool: interpreter directive changed from "/bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
/nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12/lib/build/config.sub: interpreter directive changed from " /bin/sh" to "/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12...
moving /nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12/sbin/* to /nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/p0mcmn0a7nnyhqa0sfazws8nb5xldicv-php-7.2.12-dev
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/p0mcmn0a7nnyhqa0sfazws8nb5xldicv-php-7.2.12-dev
checking for references to /build in /nix/store/p0mcmn0a7nnyhqa0sfazws8nb5xldicv-php-7.2.12-dev...
/nix/store/hs180arilc9vccw8dc2qqwmvidsx2ild-php-7.2.12

@Ekleog
Copy link
Member Author

Ekleog commented Nov 27, 2018

This has been superseded by work on #51092

@Ekleog Ekleog closed this Nov 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Ekleog @timokau @GrahamcOfBorg