27131 – Possible missing security fixes in several libraries used by PHP modules

Bug 27131 - Possible missing security fixes in several libraries used by PHP modules

Summary: Possible missing security fixes in several libraries used by PHP modules

Status:	REOPENED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-08-18 23:18 CEST by David Walser
Modified:	2024-03-13 15:04 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-08-18 23:18:14 CEST

I haven't been paying attention to PHP for a while since Marc has been taking care of it, but I don't see anywhere that we've addressed the issues the PHP changelog lists that actually need to be fixed in other packages.

Such as:
GD -> libgd
Fileinfo -> file
MBString -> libmbfl / oniguruma
Zip -> libzip
PCRE -> pcre2

and maybe others I've missed, so we've pushed updates claiming to fix issues in some of these modules that we haven't actually fixed...

Comment 1 Marc Krämer 2020-09-30 00:20:06 CEST

gd: no relevant change 
fileinfo: no relevant change
libmbfl looks orphaned to me
zip: php does not use libzip
pcre: changes in nov 2019, our version is from Feb 2020, so these changes should be already patched upstream


If I don't misunderstand you, we only fix relevant bugs in those libs.
I'm not sure how to handle this, but looking through all patches and commits and checking if they are applied in our libs takes too much time.
If all relevant patches come from php and the lib updates are to slow, we should use the code from php and not from the original lib.

Comment 2 David Walser 2020-09-30 00:26:58 CEST

Basically we just need to check that security issues fixed in those php modules are fixed in the system libs if that's where the affected code is.  The php bugs are sometimes good about saying.  The system libs don't always get fixed right away or issue new releases, so we have to check.

Yes our php does use libzip, I just double checked that.

Comment 3 Marc Krämer 2020-10-07 18:24:55 CEST

still. I don't have enough time, to check all pushed fixes in system libraries and add patches to them.

Comment 4 Marc Krämer 2021-01-09 12:06:55 CET

closing this.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

David Walser 2021-01-09 16:22:55 CET

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)
Assignee: mageia => pkg-bugs

Comment 5 David Walser 2021-06-21 23:05:27 CEST

Changing version as I don't believe issues in third-party libraries found by PHP are being tracked still.

Version: 7 => Cauldron

Comment 6 Nicolas Salguero 2024-03-13 14:19:40 CET

Mageia 8 EOL.

Version: Cauldron => 8
Status: REOPENED => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero

Comment 7 David Walser 2024-03-13 15:04:29 CET

Not sure why this was closed.

Status: RESOLVED => REOPENED
Version: 8 => Cauldron
Resolution: OLD => (none)

Note You need to log in before you can comment on or make changes to this bug.