Ubuntu has issued an advisory today (July 29): https://ubuntu.com/security/notices/USN-5027-1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
cauldron is not affected. Updated php-pear package to fix security vulnerability: In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32610 https://ubuntu.com/security/notices/USN-5027-1 ======================== Updated packages in core/updates_testing: ======================== php-pear-1.10.12-5.1.mga8.noarch.rpm SRPM: php-pear-1.10.12-5.1.mga8.src.rpm
Version: Cauldron => 8
Assignee: mageia => qa-bugs
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
mga8, x64 https://pear.php.net/manual/en/about.pear.php "PHP Extension and Application Repository" PECL home page @ http://pecl.php.net/ $ pecl channel-update pecl.php.net Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Updating channel "pecl.php.net" could not create lock file $ sudo pecl channel-update pecl.php.net Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Updating channel "pecl.php.net" Channel "pecl.php.net" is not responding over http://, failed with message: could not open /var/tmp/channel.xml for writing Trying channel "pecl.php.net" over https:// instead Cannot retrieve channel.xml for channel "pecl.php.net" (Connection to `ssl://pecl.php.net:443' failed: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP?) Looks like this is developer land. Updated the package OK. $ sudo pecl channel-update pecl.php.net Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Updating channel "pecl.php.net" Channel "pecl.php.net" is not responding over http://, failed with message: could not open /var/tmp/channel.xml for writing Trying channel "pecl.php.net" over https:// instead Cannot retrieve channel.xml for channel "pecl.php.net" (Connection to `ssl://pecl.php.net:443' failed: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP?) GUI mode fails to start. $ pecl -G Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Warning: fopen(PEAR/Frontend/Gtk2.php): Failed to open stream: No such file or directory in Frontend.php on line 140 Fatal error: Uncaught Error: Class "Gtk" not found in /usr/share/pear/pearcmd.php:263 Stack trace: #0 /usr/share/pear/peclcmd.php(32): require_once() #1 {main} thrown in /usr/share/pear/pearcmd.php on line 263 $ pecl -list-all All packages [Channel pecl.php.net]: ==================================== Package Latest Local pecl/amfext 0.9.2 ActionScript Message Format extension pecl/apfd 1.0.2 Always Populate Form Data pecl/augeas 0.6.1 PHP bindings to the Augeas API pecl/awscrt 1.0.4 AWS Common Runtime PHP bindings pecl/binpack 1.0.1 binpack for PHP. pecl/bloomy 0.1.0 Extension implementing a Bloom filter pecl/bz2_filter 1.1.0 bz2 filter implementation backport for PHP 5.0 pecl/cld 0.5.0 PHP Bindings for Chromium Compact Language Detector pecl/clips 0.5.0 Integrated CLIPS environment for deployment of expert systems pecl/clucene 0.0.9 Extension for CLucene pecl/coin_acceptor 0.3 Interface for serial coin acceptors ...................... Installed QuickForm and downloaded the script in the attachment to bug 24185 (thanks Lewis) and also installed php-pear-HTML_QuickForm. $ pear list Installed packages, channel pear.php.net: ========================================= Package Version State Archive_Tar 1.4.14 stable Console_Getopt 1.4.3 stable HTML_QuickForm 3.2.15 stable PEAR 1.10.12 stable Structures_Graph 1.1.1 stable XML_Util 1.4.5 stable Cannot install anything via pecl or pear. $ pear upgrade Error getting channel info from pear.php.net: Connection to `ssl://pear.php.net:443' failed: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP? $ pear install GTK2_EntryDialog No releases available for package "pear.php.net/GTK2_EntryDialog" install failed $ pear upgrade Archive_Tar Error getting channel info from pear.php.net: Connection to `ssl://pear.php.net:443' failed: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP? Nothing to upgrade Back to bug 24185 test: Generated a specimen.html. $ php pearHTML.php > specimen.html Added the HTML wrapper to the specimen file to produce test.html. $ firefox file:/home/lcl/qa/python/pear/test.html Which posted a form in the browser. No regressions as far as can be seen but PECL still does not work (referring to a previous bug from memory). I am inclined to pass this but shall wait for comments.
CC: (none) => tarazed25
MGA8-64 Plasma on Lenovo B50 No installation issues. Tried same commands with similar results. Seems lot of configuration is neededfor this, and is this is really developer's area. Suggest Len to OK this update.
CC: (none) => herman.viaene
@Len, Herman: thanks for your testing. I've corrected those issues. New package: php-pear-1.10.12-5.2.mga8.noarch.rpm SRPM: php-pear-1.10.12-5.2.mga8.src.rpm
Installed the new rpm but pecl still does not play ball. $ pecl -G fails to start in GUI mode. No change with this either: $ sudo pecl channel-update pecl.php.net These are OK: $ pecl list-all WARNING: channel "pecl.php.net" has updated its protocols, use "pecl channel-update pecl.php.net" to update All packages [Channel pecl.php.net]: ==================================== Package Latest Local pecl/amfext 0.9.2 ActionScript Message Format extension pecl/apfd 1.0.2 Always Populate Form Data pecl/augeas 0.6.1 PHP bindings to the Augeas API ..... $ pear list Installed packages, channel pear.php.net: ========================================= Package Version State Archive_Tar 1.4.14 stable Console_Getopt 1.4.3 stable HTML_QuickForm 3.2.15 stable PEAR 1.10.12 stable Structures_Graph 1.1.1 stable XML_Util 1.4.5 stable These may be OK: $ pear install pecl/SPL No releases available for package "pecl.php.net/SPL" install failed $ sudo pear install channel://pecl.php.net/stackdriver_debugger-0.2.0 WARNING: channel "pecl.php.net" has updated its protocols, use "pear channel-update pecl.php.net" to update downloading stackdriver_debugger-0.2.0.tar ... Starting to download stackdriver_debugger-0.2.0.tar (245,248 bytes) ...................................................done: 245,248 bytes 13 source files, building running: phpize sh: line 1: phpize: command not found ERROR: `phpize' failed Should we have phpize?
Installed php-devel to obtain phpize. $ rpm -q php-devel php-devel-8.0.8-1.1.mga8 $ sudo pear install channel://pecl.php.net/stackdriver_debugger-0.2.0 [...] running: make /bin/sh /var/tmp/pear-build-rootcdJbC4/stackdriver_debugger-0.2.0/libtool --mode=compile cc -I. -I/var/tmp/stackdriver_debugger -I/var/tmp/pear-build-rootcdJbC4/stackdriver_debugger-0.2.0/include -I/var/tmp/pear-build-rootcdJbC4/stackdriver [...] /var/tmp/stackdriver_debugger/stackdriver_debugger.c:120:63: error: expected ‘;’, ‘,’ or ‘)’ before ‘TSRMLS_DC’ 120 | static void php_stackdriver_debugger_globals_ctor(void *pDest TSRMLS_DC) | ^~~~~~~~~ /var/tmp/stackdriver_debugger/stackdriver_debugger.c: In function ‘zif_stackdriver_debugger_valid_statement’: /var/tmp/stackdriver_debugger/stackdriver_debugger.c:214:47: error: expected ‘)’ [...] make: *** [Makefile:208: stackdriver_debugger.lo] Error 1 ERROR: `make' failed That may not even be relevant but thought it worth a try.
Also: $ sudo pecl channel-update https://pecl.php.net Warning: PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 Warning: file_exists(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in PEAR/Command/Channels.php on line 533 Warning: file_exists(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in /usr/share/pear/PEAR/Command/Channels.php on line 533 Cannot open https://pecl.php.net (Connection to `ssl://pecl.php.net:443' failed: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP?)
@Len: I've never used pecl to install packages, so never tested any "GUI" mode. If you have the latest pear-package (php-pear-1.10.12-5.2.mga8.noarch.rpm) your /usr/bin/pecl should look like this #!/usr/bin/sh exec /usr/bin/php -n -C \ -d extension=openssl \ -d include_path=/usr/share/pear \ -d date.timezone=UTC \ -d output_buffering=1 \ -d variables_order=EGPCS \ -d register_argc_argv="On" \ /usr/share/pear/peclcmd.php "$@" so it should not complain about ssl and missing "xml".
@Marc: I did wonder if there was any point to pecl. I am not a php user so do not have the credentials to argue about it. And yes, pecl here is the same as yours. So I reckon QA should pass this. Thank you for all your packaging work as well.
Whiteboard: (none) => MGA8-64-OK
Thank you, Gentlemen. Validating. Looks like advisory informatio is in Comment 1, except for the updated package from Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0393.html
Status: NEW => RESOLVEDResolution: (none) => FIXED