Bug 26896

Summary:	Unsupported SHA-256/SHA-512 signature
Product:	Mageia	Reporter:	Matthieu Duchemin <alkahan>
Component:	RPM Packages	Assignee:	Marc Krämer <mageia>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	mageia
Version:	7
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	php-7.3.18-1.mga7.src.rpm, php-pear-1.10.9-1.mga7.src.rpm	CVE:
Status comment:

Description Matthieu Duchemin 2020-07-03 17:56:16 CEST

Description of problem:

I'am trying to run phive.phar from https://phar.io/ and I get the following error:
~> phive.phar                                                                                                                                                                            
PHP Fatal error:  Uncaught PharException: phar "/home/user/bin/phive.phar" has a unsupported signature in /home/user/bin/phive.phar:347
Stack trace:
#0 /home/user/bin/phive.phar(347): Phar::mapPhar('phive.phar')
#1 {main}
  thrown in /home/user/bin/phive.phar on line 347

after some searches this do to lack of support for SHA-256 and/or SHA-512 singnature.

the description section of the php-phar RPM explain SHA-256 and SHA-512 signatures can be supported when installing hash PECL extension.
see: php -qi php-phar

even when hash extension is installed, phar in mageia only support MD5, SHA-1 and OpenSSL signatures.

> php -m |grep hash                                                                                                                                                                    
hash
> php -r 'print_r(Phar::getSupportedSignatures());'                                                                                                                                     
Array
(
    [0] => MD5
    [1] => SHA-1
    [2] => OpenSSL
)

Comment 1 Lewis Smith 2020-07-05 20:58:11 CEST

Thank you for reporting this, and sorry for the slow reply.

php-phar [in php SRPM]
Summary     : Allows running of complete applications out of .phar files
Full support for MD5 and SHA1 signatures is possible. Signatures can be
required if the ini variable phar.require_hash is set to true.
When PECL extension hash is avaiable then SHA-256 and SHA-512 signatures are
supported as well.

The only reference I could find for PECL was:
 php-pear:/usr/share/pear/PEAR/Validator/PECL.php
so added the php⁻pear SRPM in case the fault is there.
You say "even when hash extension is installed", which I take to be from within PHP itself.

Assigning to the PHP stack maintainers.

Assignee: bugsquad => php
Source RPM: php-7.3.18-1.mga7.src.rpm => php-7.3.18-1.mga7.src.rpm, php-pear-1.10.9-1.mga7.src.rpm

Comment 2 Marc Krämer 2020-07-07 12:39:46 CEST

in php 7.4 (backports & mga8) this is not reproducable and signatures report:
Array
(
    [0] => MD5
    [1] => SHA-1
    [2] => SHA-256
    [3] => SHA-512
    [4] => OpenSSL
)


In php 7.4 hash is integrated in core, I've to check why there is a difference.

CC: (none) => mageia

Marc Krämer 2020-07-08 16:34:00 CEST

Assignee: php => mageia

Comment 3 Marc Krämer 2020-07-08 17:02:39 CEST

fixed in updates_testing.

As this is not a very critical fix, I think we push it with the next php update.
The releases come ~ every month, so we are close to the next version.

Comment 4 Matthieu Duchemin 2020-07-09 09:02:57 CEST

php-7.3.19-2 is out but the problem still persist.

I have tested php-7.3.20-1.mga7 from updates_testing and it OK:

php -v                                                                                                                                                                               
PHP 7.3.20 (cli) (built: Jul  8 2020 21:44:11) ( NTS )
php  -r 'print_r(Phar::getSupportedSignatures());'                                                                                                                                   
Array
(
    [0] => MD5
    [1] => SHA-1
    [2] => SHA-256
    [3] => SHA-512
    [4] => OpenSSL
)

Thanks for the fix.

Comment 5 Marc Krämer 2020-07-09 16:06:43 CEST

see #26922.

Resolution: (none) => FIXED
Status: NEW => RESOLVED