Bug 27131

Summary: Possible missing security fixes in several libraries used by PHP modules
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: REOPENED --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description David Walser 2020-08-18 23:18:14 CEST 
I haven't been paying attention to PHP for a while since Marc has been taking care of it, but I don't see anywhere that we've addressed the issues the PHP changelog lists that actually need to be fixed in other packages.

Such as:
GD -> libgd
Fileinfo -> file
MBString -> libmbfl / oniguruma
Zip -> libzip
PCRE -> pcre2

and maybe others I've missed, so we've pushed updates claiming to fix issues in some of these modules that we haven't actually fixed...
Comment 1 Marc Krämer 2020-09-30 00:20:06 CEST 
gd: no relevant change 
fileinfo: no relevant change
libmbfl looks orphaned to me
zip: php does not use libzip
pcre: changes in nov 2019, our version is from Feb 2020, so these changes should be already patched upstream


If I don't misunderstand you, we only fix relevant bugs in those libs.
I'm not sure how to handle this, but looking through all patches and commits and checking if they are applied in our libs takes too much time.
If all relevant patches come from php and the lib updates are to slow, we should use the code from php and not from the original lib.
Comment 2 David Walser 2020-09-30 00:26:58 CEST 
Basically we just need to check that security issues fixed in those php modules are fixed in the system libs if that's where the affected code is.  The php bugs are sometimes good about saying.  The system libs don't always get fixed right away or issue new releases, so we have to check.

Yes our php does use libzip, I just double checked that.
Comment 3 Marc Krämer 2020-10-07 18:24:55 CEST 
still. I don't have enough time, to check all pushed fixes in system libraries and add patches to them.
Comment 4 Marc Krämer 2021-01-09 12:06:55 CET 
closing this.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

David Walser 2021-01-09 16:22:55 CET

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)
Assignee: mageia => pkg-bugs

Comment 5 David Walser 2021-06-21 23:05:27 CEST 
Changing version as I don't believe issues in third-party libraries found by PHP are being tracked still.

Version: 7 => Cauldron

Comment 6 Nicolas Salguero 2024-03-13 14:19:40 CET 
Mageia 8 EOL.

Version: Cauldron => 8
Status: REOPENED => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero

Comment 7 David Walser 2024-03-13 15:04:29 CET 
Not sure why this was closed.

Status: RESOLVED => REOPENED
Version: 8 => Cauldron
Resolution: OLD => (none)