Skip to content

php: 7.2.11 -> 7.2.12, 7.1.23 -> 7.1.24 (CVE-2018-17082) #51091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 27, 2018
Merged

php: 7.2.11 -> 7.2.12, 7.1.23 -> 7.1.24 (CVE-2018-17082) #51091

merged 3 commits into from
Nov 27, 2018
+159 −47

Conversation

delroth
Copy link
Contributor

@delroth delroth commented Nov 27, 2018

Also align Darwin with Linux versions by introducing some trivial configure.ac
patches. This requires running autoconf/autoheader (through ./buildconf), which
also made a change to fix-paths-php7.patch necessary since it patched ./configure
directly instead of the .m4 inputs.

Supersedes #50511 with backwards compatibility on Darwin. @Ekleog @etu

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@delroth delroth mentioned this pull request Nov 27, 2018
Closed
9 tasks
@samueldr
Copy link
Member

@GrahamcOfBorg build php71 php72

@GrahamcOfBorg test elk owncloud

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018

@GrahamcOfBorg build nixosTests.elk nixosTests.owncload

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018
edited
Loading

@GrahamcOfBorg build nixosTests.elk nixosTests.owncloud

Weird the build “passed” with a typo like this.

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: nixosTests.elk

The following builds were skipped because they don't evaluate on x86_64-darwin: nixosTests.owncloud

Partial log (click to expand)

while evaluating the attribute 'linux_4_14' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/top-level/all-packages.nix:14361:3:
while evaluating 'callPackageWith' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:108:35, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/top-level/all-packages.nix:14361:16:
while evaluating 'makeOverridable' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:67:24, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:112:8:
while evaluating anonymous function at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/os-specific/linux/kernel/linux-4.14.nix:1:1, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:69:12:
while evaluating 'buildLinux' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/top-level/all-packages.nix:14659:16, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/os-specific/linux/kernel/linux-4.14.nix:5:1:
while evaluating 'callPackageWith' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:108:35, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/top-level/all-packages.nix:14659:23:
while evaluating 'makeOverridable' at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:67:24, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:112:8:
while evaluating anonymous function at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/os-specific/linux/kernel/generic.nix:1:1, called from /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/lib/customisation.nix:69:12:
assertion failed at /private/var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndndx-vm/pkgs/os-specific/linux/kernel/generic.nix:51:1

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018
edited
Loading

Summary of ofborg's messages as their status is currently confused with 3 calls, for later reference:

  • php71 and php72 builds passed for x86_64-linux
  • php71 and php72 builds are still pending for aarch64-linux and x86_64-darwin
  • owncloud and elk failed with a “Success” error message on x86_64-darwin (I don't think it's a big deal, it's nixos tests anyway, but it's kind of weird)
  • owncloud and elk are still pending on aarch64-linux and x86_64-linux

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018

@delroth Could you open a PR with backports of these commits to release-18.09? Using git cherry-pick -x :)

@delroth delroth mentioned this pull request Nov 27, 2018
Merged
@GrahamcOfBorg

This comment has been minimized.

Sign in to view
Ekleog
Ekleog reviewed Nov 27, 2018
View reviewed changes
Copy link
Member

@Ekleog Ekleog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for not noticing this before asking you to backport.

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@delroth
php: align Darwin and Linux versions again
ea10173 
Instead of pinning Darwin to older versions, add small patches to
configure.in (7.1) / configure.ac (7.2) to fix the build of the intl
extension on recent PHP versions on Darwin.

fix-paths-php7.patch also required changes -- since we now run autoconf
at build time (through ./buildconf), it needs to patch the input .m4
files instead of ./configure directly.
@delroth
php71: 7.1.23 -> 7.1.24

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
8221da3
@delroth
php72: 7.2.11 -> 7.2.12
ec3d829
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018

OK so php71 and php72 passed everywhere but on darwin, where it failed due to a timeout due to too many rebuilds. owncloud and elk are still pending on aarch64-linux and x86_64-linux.

Let's retry the darwin build, as IIRC there is only one darwin builder it should re-use the now-cached builds, and it's idling currently anyway.

@GrahamcOfBorg build php71 php72

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: nixosTests.elk, nixosTests.owncloud

Partial log (click to expand)

one: running command: sync
one: exit status 0
test script finished in 521.53s
cleaning up
killing one (pid 597)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/mwfqli0fa0268p6h671xqwmszglimivq-vm-test-run-ELK-5
/nix/store/0flb4v27qkc0kpcsx83d5w01g8n11ch4-vm-test-run-ELK-6
/nix/store/yw4jh4v57mmvp68dmv79bsmskmx8343d-vm-test-run-owncloud

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: nixosTests.elk, nixosTests.owncloud

Partial log (click to expand)

web: exit status 1
syncing
web: running command: sync
web: exit status 0
test script finished in 67.35s
cleaning up
killing web (pid 631)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/build/vde1.ctl': Directory not empty
/nix/store/9a4gccvswg406g60cm5my5466vgw2m78-vm-test-run-owncloud

@GrahamcOfBorg

This comment has been minimized.

Sign in to view
@c0bw3b c0bw3b added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 27, 2018
@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018
edited
Loading

O~kay, it looks like the darwin build of clang has been restarted on hydra (it had been cancelled before that) and passed, so hopefully this time ofborg won't timeout on darwin :)

@GrahamcOfBorg build php71 php72

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/lib/build/shtool: interpreter directive changed from "/bin/sh" to "/nix/store/yal8k8rgbaj8p9vi08q1kh21ls0ndq95-bash-4.4-p23/bin/sh"
/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/lib/build/config.sub: interpreter directive changed from " /bin/sh" to "/nix/store/yal8k8rgbaj8p9vi08q1kh21ls0ndq95-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12...
moving /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/sbin/* to /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev
strip is /nix/store/n4hb93w6j076xcjw5pm09rdmc09s075b-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev
checking for references to /build in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev...
/nix/store/gliwgjkyg1qakghls3xx4fp9j2mz5d8v-php-7.1.24
/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/bpspdmsl0yys24gs70flsvcw3wcnl7lx-bash-4.4-p23/bin/sh"
/nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/bpspdmsl0yys24gs70flsvcw3wcnl7lx-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12...
moving /nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12/sbin/* to /nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/54rwkh9dlg9mq3ljxd7cxmv94d2h4ymb-php-7.2.12-dev
strip is /nix/store/qjrnv0qw44bw1hc23zhfh26xd1c25dfs-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/54rwkh9dlg9mq3ljxd7cxmv94d2h4ymb-php-7.2.12-dev
checking for references to /build in /nix/store/54rwkh9dlg9mq3ljxd7cxmv94d2h4ymb-php-7.2.12-dev...
/nix/store/ydypcqnb6iii7vx18n4734vlc14350bv-php-7.1.24
/nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

  /nix/store/c60r61kj9lihlh8r67wrx5vyn441z1j9-lynx-2.8.9rel.1.drv
  /nix/store/ndbjzv1abg3n9rr5v7bwpfmbm3whs4jw-apache-httpd-2.4.35.drv
  /nix/store/vav23ixqxbka8z8px1k7b316fk9f3q97-libmcrypt-2.5.8.drv
  /nix/store/p7y4rd70wcshba8y4am3njjk1x6bm93l-unixODBC-2.3.7.drv
  /nix/store/y3g317iys90j8nhp8hicv7bv82jqb913-freetds-1.00.104.drv
  /nix/store/1l3j426rk13vf5zrkcky1dxclkm7aaax-php-7.1.24.drv
  /nix/store/9f0jf3ryzbxys8ilajha1nzwcm3vswz6-php-7.2.12.drv
waiting for locks or build slots...
/nix/store/ydypcqnb6iii7vx18n4734vlc14350bv-php-7.1.24
/nix/store/qscsak0ndxxjmaky55dm7r5qf6wriiha-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/bin/php-config: interpreter directive changed from " /bin/sh" to "/nix/store/sv35yjk452mggg76bz94nppibj96a66h-bash-4.4-p23/bin/sh"
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/bin/phpize: interpreter directive changed from "/bin/sh" to "/nix/store/sv35yjk452mggg76bz94nppibj96a66h-bash-4.4-p23/bin/sh"
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/lib/build/config.guess: interpreter directive changed from " /bin/sh" to "/nix/store/sv35yjk452mggg76bz94nppibj96a66h-bash-4.4-p23/bin/sh"
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/lib/build/config.sub: interpreter directive changed from " /bin/sh" to "/nix/store/sv35yjk452mggg76bz94nppibj96a66h-bash-4.4-p23/bin/sh"
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/lib/build/shtool: interpreter directive changed from "/bin/sh" to "/nix/store/sv35yjk452mggg76bz94nppibj96a66h-bash-4.4-p23/bin/sh"
moving /nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/sbin/* to /nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12/bin
strip is /nix/store/mvpvjar6m4jpjcz48715w2pax53djv6g-cctools-binutils-darwin/bin/strip
patching script interpreter paths in /nix/store/jfldgm1j685izsf134hhh55hzc7r1z7p-php-7.2.12-dev
/nix/store/zaksw0gihzik28y445h6jyqkwjlfmajj-php-7.1.24
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/zaksw0gihzik28y445h6jyqkwjlfmajj-php-7.1.24
/nix/store/ibrbj895d8wlqi90qphb31yswbplfsx9-php-7.2.12

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: php71, php72

Partial log (click to expand)

/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/bin/peardev: interpreter directive changed from "/bin/sh" to "/nix/store/yal8k8rgbaj8p9vi08q1kh21ls0ndq95-bash-4.4-p23/bin/sh"
/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/bin/pecl: interpreter directive changed from "/bin/sh" to "/nix/store/yal8k8rgbaj8p9vi08q1kh21ls0ndq95-bash-4.4-p23/bin/sh"
checking for references to /build in /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12...
moving /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/sbin/* to /nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev
strip is /nix/store/n4hb93w6j076xcjw5pm09rdmc09s075b-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev
checking for references to /build in /nix/store/cb4j9qnjcrx8h8b7n4gdckphbrq2h4nz-php-7.2.12-dev...
/nix/store/gliwgjkyg1qakghls3xx4fp9j2mz5d8v-php-7.1.24
/nix/store/48cl4x86sv8g11bv6l5hqgk29ay7c8zh-php-7.2.12

@Ekleog
Copy link
Member

Ekleog commented Nov 27, 2018

Looks like it built correctly, thank you!

@markuskowa markuskowa merged commit ec3d829 into NixOS:master Nov 27, 2018
@c0bw3b c0bw3b mentioned this pull request Dec 10, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ekleog Ekleog

@etu etu

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@delroth @samueldr @GrahamcOfBorg @Ekleog @etu @c0bw3b @markuskowa