Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209148 - dev-lang/php < 5.2.5_p20080206: vulnerable pcre, several crash issues
Summary: dev-lang/php < 5.2.5_p20080206: vulnerable pcre, several crash issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 207752 (view as bug list)
Depends on: 209501 209606
Blocks:
  Show dependency tree
 
Reported: 2008-02-06 14:48 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-11-16 16:14 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gzipped build log for the build described in comment #23 (20080212-222625.log.gz,154.05 KB, application/x-gzip)
2008-02-13 07:26 UTC, Jeroen Roovers (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-02-06 14:48:15 UTC
All versions of php before 5.2.5_p20080602 are shipping vulnerable versions of pcre (<7.6, see bug 209067).
The new snapshot of php also fixes several crash issues (wasn't possible for me to track all of them, just some examples: upstream bugs 44046, 44028, 42841, 29044 and probably more).

I'm not sure about the impact of the PCRE security issue and the crash issues.

The ebuild will be in the tree in some minutes, I'll update the bug accordingly.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-06 15:11:20 UTC
s/p20080602/p20080206/g :)
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-06 15:19:35 UTC
php-5.2.5_p20080206 in the tree now.

These tests are known to fail (either they have been failing for ages or they are new and test for bugs which haven't been fixed yet, so no regression):
-----
PDO Common: Bug #43663 (__call on classes derived from PDO) [ext/pdo/tests/bug_43663.phpt]
Bug #38759 (sqlite2 empty query causes segfault) [ext/sqlite/tests/bug38759.phpt]
via [ext/sqlite/tests/pdo/common.phpt]
	SQLite2 PDO Common: Bug #43663 (__call on classes derived from PDO) [ext/sqlite/tests/pdo/bug_43663.phpt]
Test array_merge_recursive() function : usage variations - common key and value(Bug#43559) [ext/standard/tests/array/array_merge_recursive_variation9.phpt]
Test arsort() function : usage variations - sort integer/float values [ext/standard/tests/array/arsort_variation3.phpt]
Test is_file() function: usage variations - diff. path notations (Bug #42027, #42638) [ext/standard/tests/file/is_file_variation4.phpt]
Test rename() function: usage variations-1 (Bug#42638) [ext/standard/tests/file/rename_variation.phpt]
-----
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-06 15:23:36 UTC
*** Bug 207752 has been marked as a duplicate of this bug. ***
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2008-02-07 22:07:01 UTC
Lets stabilize this... arches, have phun. :) Thanks.
Comment 5 Dawid Węgliński (RETIRED) gentoo-dev 2008-02-07 23:23:19 UTC
x86 off the phun. Stable :)
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-02-08 00:20:12 UTC
ppc64 done
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-08 07:39:54 UTC
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-08 13:59:06 UTC
That's odd:

>>> Source compiled.
>>> Test phase [test]: dev-lang/php-5.2.5_p20080206
/dev/shm/portage/dev-lang/php-5.2.5_p20080206/temp/environment: line 4603: ./sap
i/cli/php: No such file or directory
 * Some tests failed!

>>> Install php-5.2.5_p20080206 into /dev/shm/portage/dev-lang/php-5.2.5_p200802
06/image/ category dev-lang

[ebuild   R   ] dev-lang/php-5.2.5_p20080206  USE="apache2 berkdb bzip2 calendar cdb cgi cjk cli crypt ctype curl exif filter ftp gd gmp iconv imap iodbc ipv6 kerberos ldap mcve mhash mssql mysql mysqli ncurses nls odbc pcre pdo pic postgres qdbm readline reflection session snmp sockets spell spl sqlite ssl suhosin threads tidy tokenizer truetype unicode xml xpm xsl zip-external zlib (-adabas) -bcmath (-birdstep) -concurrentmodphp -curlwrappers (-db2) -dbase (-dbmaker) -debug -discard-path -doc (-empress) (-empress-bcs) (-esoob) -fastbuild (-fdftk) (-firebird) -flatfile -force-cgi-redirect (-frontbase) -gd-external -gdbm -hash -inifile -interbase (-java-external) -json -ldap-sasl -libedit -msql (-oci8) (-oci8-instant-client) -pcntl -posix -recode -sapdb -sharedext -sharedmem -simplexml -soap (-solid) (-sybase) (-sybase-ct) -sysvipc -wddx -xmlreader -xmlrpc -xmlwriter -yaz -zip" 0 kB

With FEATURES="test userpriv"

Any ideas?
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-08 14:07:08 UTC
Stable for HPPA (but I personally want to know about the failing test suite).
Comment 10 Hans Rakers 2008-02-08 14:22:08 UTC
This version broke several of our (zend encoded) webapps using Zend Optimizer 3.3.0a. Backtrace doesn't give much more info than:

Program terminated with signal 11, Segmentation fault.
#0  0xb50508e1 in ?? () from /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so
(gdb) bt
#0  0xb50508e1 in ?? () from /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so

previous ebuild dev-lang/php-5.2.5-r1 was fine. Reverting to this version solves the issue, so i guess i'll mask this one for now.
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-08 15:01:03 UTC
Meh :/

(In reply to comment #8)
> That's odd:
> 
> >>> Source compiled.
> >>> Test phase [test]: dev-lang/php-5.2.5_p20080206
> /dev/shm/portage/dev-lang/php-5.2.5_p20080206/temp/environment: line 4603:
> ./sap
> i/cli/php: No such file or directory
>  * Some tests failed!
> 
> >>> Install php-5.2.5_p20080206 into /dev/shm/portage/dev-lang/php-5.2.5_p200802
> 06/image/ category dev-lang

I can't really explain (or reproduce) that. It says it can't find ./sapi/cli/php, but with USE=cli it should be there (and I guess you have it on the live system as /usr/bin/php as well). So.. must be some path related thing, maybe because of your portage tmp dir? I'll trying /dev/shm later...




(In reply to comment #10)
> This version broke several of our (zend encoded) webapps using Zend Optimizer
> 3.3.0a. Backtrace doesn't give much more info than:
> 
> Program terminated with signal 11, Segmentation fault.
> #0  0xb50508e1 in ?? () from
> /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so
> (gdb) bt
> #0  0xb50508e1 in ?? () from
> /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so
> 
> previous ebuild dev-lang/php-5.2.5-r1 was fine. Reverting to this version
> solves the issue, so i guess i'll mask this one for now.

Not so good. ;)
Do you have a simple reproduce case for me or does it only happen when using your (probably big) encoded application? ZendOptimizer still works fine for me, but I haven't tried using it to parse encoded files.
I can think of one patch which possibly breaks that, but I'm not sure. Could you please try php-5.2.5_p20080206-r1 from php-testing overlay (layman -a php-testing)? It omits exactly the patch I'm suspecting. If this does help I'll have to try and fix the patch as we can't simply drop it.
(The ebuild does not have any KEYWORDS, so do echo '=dev-lang/php-5.2.5_p20080206* **' >> /etc/portage/package.keywords first)

Thanks for pointing out the problem anyway. =)
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2008-02-08 15:16:49 UTC
(In reply to comment #10)
> /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so

We do not install anything to /usr/local; if you have issues with dev-php5/ZendOptimizer *ebuild* (after wiping all the cruft in /usr/local first and sanitizing your configuration accordingly), then file a *new* bug.
Comment 13 Hans Rakers 2008-02-08 15:24:38 UTC
I dont use Zend Optimizer ebuild, and that is beside the point. Optimizer works fine.

@Christian i will try to isolate the problem on a seperate machine and try to track down the patch which causes the problem.

and if it pleases Jakub i will use the ZO ebuild there.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-02-08 15:32:01 UTC
alpha/ia64/sparc stable
Comment 15 Hans Rakers 2008-02-11 10:57:30 UTC
(In reply to comment #11)
> 
> Not so good. ;)
> Do you have a simple reproduce case for me or does it only happen when using
> your (probably big) encoded application? ZendOptimizer still works fine for me,
> but I haven't tried using it to parse encoded files.

Yup its a big app so its not going to be easy to pinpoint. It is Zend encoded using Zend Guard 5.

> I can think of one patch which possibly breaks that, but I'm not sure. Could
> you please try php-5.2.5_p20080206-r1 from php-testing overlay (layman -a
> php-testing)? It omits exactly the patch I'm suspecting. If this does help I'll
> have to try and fix the patch as we can't simply drop it.
> (The ebuild does not have any KEYWORDS, so do echo
> '=dev-lang/php-5.2.5_p20080206* **' >> /etc/portage/package.keywords first)
> 
> Thanks for pointing out the problem anyway. =)
> 

I have just tried php-5.2.5_p20080206-r1 from php-testing with Zend Optimizer ebuild and this still exhibits the same problem:

Core was generated by `/usr/sbin/apache2 -D DEFAULT_VHOST -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D U'.
Program terminated with signal 11, Segmentation fault.
#0  0xb5f8f8e1 in ?? () from /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613/ZendOptimizer.so
(gdb) bt
#0  0xb5f8f8e1 in ?? () from /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20060613/ZendOptimizer.so
#1  0x00000000 in ?? ()


Is there an easy way for me to include/exclude patches from the patchset for testing?
Comment 16 Jakub Moc (RETIRED) gentoo-dev 2008-02-11 11:05:07 UTC
(In reply to comment #15)

Once again, file a *new* bug please. This bug is for security *only*. Thanks.
Comment 17 Hans Rakers 2008-02-11 11:21:09 UTC
OK sorry. New bug at http://bugs.gentoo.org/show_bug.cgi?id=209649

I will shut up now :)
Comment 18 Jakub Moc (RETIRED) gentoo-dev 2008-02-11 13:06:23 UTC
Forget this, broken... http://bugs.php.net/bug.php?id=44094 and others.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:36:25 UTC
Considering the bugs in "Depend", should we revoke stable on x86 and sparc?
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:45:13 UTC
Never mind, it's masked. Bleh@me
Comment 21 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-12 16:51:51 UTC
I just committed =dev-lang/php-5.2.5_p20080206-r2 which includes a fix for bug 209606. Once it is confirmed that it fixes bug 209501 as well (I think it should but want to get a confirmation first), we are set for another round of stabilization.
Sorry for the delays. :(
Comment 22 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-12 22:05:49 UTC
Some upstream dev argued that the recently committed patch (which we are shipping in -r2) might break other functionality (mysql_pconnect probably). There was a new patch and as such there is a new revision in the tree: php-5.2.5_p20080206-r3.

I'd prefer if it could get some testing before CC'ing arches. Feel free to request stabilization in 12 hours or so and once bug 209501 is marked FIXED.
Comment 23 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 06:58:43 UTC
I still cannot seem to run the test suite.

------------------------
>>> Test phase [test]: dev-lang/php-5.2.5_p20080206-r3
/dev/shm/portage/dev-lang/php-5.2.5_p20080206-r3/temp/environment: line 4608: /dev/shm/portage/dev-lang/php-5.2.5_p20080206-r3/work/php-5.2.5_p20080206/sapi/cli/php: No such file or directory
 * Not all tests were successful!

>>> Install php-5.2.5_p20080206-r3 into /dev/shm/portage/dev-lang/php-5.2.5_p20080206-r3/image/ category dev-lang
------------------------

emerge -vp --nodeps dev-lang/php:
[ebuild   R   ] dev-lang/php-5.2.5_p20080206-r3  USE="apache2 berkdb bzip2 calendar cdb cgi cjk cli crypt ctype curl exif filter ftp gd gmp iconv imap iodbc ipv6 kerberos ldap mcve mhash mssql mysql mysqli ncurses nls odbc pcre pdo pic postgres qdbm readline reflection session snmp sockets spell spl sqlite ssl suhosin threads tidy tokenizer truetype unicode xml xpm xsl zip-external zlib (-adabas) -bcmath (-birdstep) -concurrentmodphp -curlwrappers (-db2) -dbase (-dbmaker) -debug -discard-path -doc (-empress) (-empress-bcs) (-esoob) -fastbuild (-fdftk) (-firebird) -flatfile -force-cgi-redirect (-frontbase) -gd-external -gdbm -hash -inifile -interbase (-java-external) -json -ldap-sasl -libedit -msql (-oci8) (-oci8-instant-client) -pcntl -posix -recode -sapdb -sharedext -sharedmem -simplexml -soap (-solid) (-sybase) (-sybase-ct) -sysvipc -wddx -xmlreader -xmlrpc -xmlwriter -yaz -zip" 0 kB

Set on the command line:
FEATURES="test userpriv"
PORTAGE_TMPDIR="/dev/shm" 

emerge --info:
Wed Feb 13 07:56:37 CET 2008
Portage 2.1.4.3 (default-linux/hppa/2007.0, gcc-4.1.2, glibc-2.7-r1, 2.6.24-gentoo-JeR parisc)
=================================================================
System uname: 2.6.24-gentoo-JeR parisc PA8700 (PCX-W2)
Timestamp of tree: Wed, 13 Feb 2008 05:46:01 +0000
distcc 2.18.3 hppa2.0-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 2.0.0_rc6-r1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="hppa"
CBUILD="hppa2.0-unknown-linux-gnu"
CFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -ggdb -Wall"
CHOST="hppa2.0-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/spool/torque /var/www/localhost/htdocs/wordpress/wp-config.php"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -ggdb -Wall"
DISTDIR="/keeps/gentoo/distfiles"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://mirror.muntinternet.net/pub/gentoo/ http://gentoo.tiscali.nl/"
LC_ALL="en_US.UTF-8"
LINGUAS="en nl he"
MAKEOPTS="-j4"
PKGDIR="/keeps/gentoo/packages/elmer"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/alt/portage-tmp"
PORTDIR="/keeps/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip X Xaw3d a52 aac aalib accessibility ads alsa amr amrnb amrwb ao aoss apache2 ares arts asf async asyncns audiofile automount avfs bash-completion berkdb bidi bitmap-fonts bittorrent bl bzip2 c++ cairo caps catalogs cblas cdb cddb cdparanoia cdr chardet cjk cli cpudetection cracklib crypt cups curl custom-cflags dbtool dbus device-mapper dga dia directfb djbfft domainkeys dts dv dvd dvdr dvdread dxr3 edl elf emacs enca encode esd examples exif expat fam fame fastbuild fastcgi fbcon ffmpeg filter flac fontconfig foomaticdb fortran ftp gadu gd gdbm geoip ggi gif gimp gimpprint glep glib glut gmp gnome gnutls gphoto2 gpm gs gsl gtk gtk2 gtkhtml hal hesiod hppa ical icecast iconv idea idn imagemagick imlib immqt-bc inquisitio ipv6 isdnlog jack javascript jingle jpeg jpeg2k kde kerberos lapack lcms ldap leim libcaca libnotify libsamplerate libwww logrotate logwatch lua lzo mad matroska memcache mhash midi mikmod mmap mng modplug motif mozbranding mp3 mssql mudflap musepack mysql nas ncurses netpbm network-cron nfconntrack nfs nls nntp nptl nptlonly nsplugin offensive ogg openexr opengl openmp oss ots overlays pam pango pbs pch pcre pdf pdo-external perl php pic plotutils plugins png portage portaudio postgres povray ppds pppd pulseaudio python pyzord qdbm qt3 qt3support quotas raw readline recode reflection rpc rrdtool rtc ruby samba sasl scanner scim sdl seamonkey session sid slang slp sndfile snmp soundex speex spell spl sqlite ssl startup-notification suhosin svg swat sysfs talkfilters tcl tcpd tga theora threads thunar-vfs tidy tiff timidity tk tools truetype truetype-fonts twolame type1-fonts udev unicode unzip urandom usb userlocales utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis wavpack webdav webinstall winbind wlan wma wmf xanim xchattext xcomposite xface xml xml2 xmpi xorg xpm xrandr xscreensaver xsettings xulrunner xv xvid xvmc zip zip-external zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl he" USERLAND="GNU" VIDEO_CARDS="stifb fbdev matrox"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 07:26:39 UTC
Created attachment 143396 [details]
gzipped build log for the build described in comment #23
Comment 25 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 07:41:26 UTC
At line #4197 in the build log, sapi/cli/php is created:

/bin/sh /dev/shm/portage/dev-lang/php-5.2.5_p20080206-r3/work/php-5.2.5_p20080206/libtool --silent --preserve-dup-deps --mode=link /dev/shm/portage/dev-lang/php-5.2.5_p20080206-r3/work/php-5.2.5_p20080206/meta_ccld -export-dynamic -I/usr/include -O2 -pipe -mschedule=8000 -march=2.0 -ggdb -Wall -pthread -DZTS [...........] -o sapi/cli/php

But line #4210 in the build log states:

rm -f libphp5.la sapi/cli/php  modules/* libs/*
Comment 26 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 08:01:29 UTC
Also, this build (r3) still segfaults on mysql_connect().
Comment 27 Jakub Moc (RETIRED) gentoo-dev 2008-02-13 08:07:36 UTC
(In reply to comment #26)
> Also, this build (r3) still segfaults on mysql_connect().

Does -r2 segfault as well? (I don't care about the testsuite at all ATM). 
Comment 28 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 08:30:48 UTC
(In reply to comment #27)
> (In reply to comment #26)
> > Also, this build (r3) still segfaults on mysql_connect().
> 
> Does -r2 segfault as well?

Yes.
Comment 29 Jakub Moc (RETIRED) gentoo-dev 2008-02-13 08:34:42 UTC
(In reply to comment #28)

Well, then you should file a separate bug because both -r2 and -r3 fixed the original issue for anyone else.
Comment 30 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-13 08:52:05 UTC
(In reply to comment #29)
> (In reply to comment #28)
> 
> Well, then you should file a separate bug because both -r2 and -r3 fixed the
> original issue for anyone else.

It seems this still is the original issue.
Comment 31 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-17 18:23:38 UTC
Ok, let's do the stabilization dance again. I've been running -r3 on multiple machines (x86, x86 hardened and amd64) without any problems and all regression reports (bug 209606) seem to be solved for those two arches as well. I have still no clue about the more "exotic" archs (bug 209501), but according to the comments in this bug they might still have severe problems.

Arches, please extensively test and stabilize =dev-lang/php-5.2.5_p20080206-r3.
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd


By extensive testing I mean that it would be nice if you could run some MySQL-related apps for testing, like phpmyadmin for example. If you don't have a web server setup, emerging lighttpd using this [1] config and running lighttpd -Df /path/to.conf would be the easiest way for testing, imo.
Commandline php apps should be sufficient for testing as well, of course.


I'll be away from Monday to Friday evening, so if it breaks again, someone please mask it (maybe even per-arch), but I can't do much about the issues on the "exotic" archs right now.

[1] http://home.hoffie.info/php-testing.lighttpd.conf
Comment 32 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-21 17:37:06 UTC
=====================================================================
TIME END 2008-02-21 00:35:51

=====================================================================
TEST RESULT SUMMARY
---------------------------------------------------------------------
Exts skipped    :   31
Exts tested     :   48
---------------------------------------------------------------------

Number of tests : 5283              3799
Tests skipped   : 1484 ( 28.1%) --------
Tests warned    :    1 (  0.0%) (  0.0%)
Tests failed    :   83 (  1.6%) (  2.2%)
Tests passed    : 3715 ( 70.3%) ( 97.8%)
---------------------------------------------------------------------
Time taken      : 5067 seconds
=====================================================================

Stable for HPPA.
Comment 33 Markus Meier gentoo-dev 2008-02-21 22:04:39 UTC
x86 stable, no problems here (with mysql/general php stuff).
Comment 34 Hans Rakers 2008-02-22 10:40:49 UTC
Before amd64 goes stable, i'd like to point out upstream bug http://bugs.php.net/bug.php?id=42682 (and http://bugs.php.net/bug.php?id=40735 on the same subject). 

Not much feedback upstream since oct 2007 but imo its a big issue (which i recently was confronted with after swapping a bunch of x86 webfarm boxes to new x86_64 boxes). All stream fread operations fail on x86_64 (x86 is fine) due to stream_select not returning the right amount of readable descriptors.
Comment 35 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-22 13:56:10 UTC
ppc stable
Comment 36 Raúl Porcel (RETIRED) gentoo-dev 2008-02-24 14:36:11 UTC
alpha/ia64/sparc stable
Comment 37 Brent Baude (RETIRED) gentoo-dev 2008-02-24 19:55:23 UTC
ppc64 done
Comment 38 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 16:01:26 UTC
amd64 team:

Compiled fine, no collisions, seems to be multilib safe, tests passed:

=====================================================================
TEST RESULT SUMMARY
---------------------------------------------------------------------
Exts skipped    :   52
Exts tested     :   27
---------------------------------------------------------------------

Number of tests : 5028              3870
Tests skipped   : 1158 ( 23.0%) --------
Tests warned    :    3 (  0.1%) (  0.1%)
Tests failed    :    7 (  0.1%) (  0.2%)
Tests passed    : 3860 ( 76.8%) ( 99.7%)
---------------------------------------------------------------------
Time taken      :  785 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
SOAP typemap 1: SoapServer support for typemap's from_xml() [ext/soap/tests/typemap001.phpt]
SOAP Typemap 3: SoapClient support for typemap's from_xml() [ext/soap/tests/typemap003.phpt]
SOAP typemap 5: SoapServer support for typemap's from_xml() (without WSDL) [ext/soap/tests/typemap005.phpt]
SOAP Typemap 7: SoapClient support for typemap's from_xml() (without WSDL) [ext/soap/tests/typemap007.phpt]
Test array_merge_recursive() function : usage variations - common key and value(Bug#43559) [ext/standard/tests/array/array_merge_recursive_variation9.phpt]
Test arsort() function : usage variations - sort integer/float values [ext/standard/tests/array/arsort_variation3.phpt]
htmlentities() test 2 (setlocale / fr_FR.ISO-8859-15) [ext/standard/tests/strings/htmlentities02.phpt] (warn: possibly braindead libc)
htmlentities() test 4 (setlocale / ja_JP.EUC-JP) [ext/standard/tests/strings/htmlentities04.phpt] (warn: possibly braindead libc)
htmlentities() test 15 (setlocale / KOI8-R) [ext/standard/tests/strings/htmlentities15.phpt] (warn: possibly braindead libc)
Test setlocale() function : usage variations - Setting all available locales in the platform [ext/standard/tests/strings/setlocale_variation2.phpt]
=====================================================================

 $=> emerge --info
Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r8 x86_64 AMD Sempron(tm) Processor 2600+
Timestamp of tree: Mon, 25 Feb 2008 06:30:03 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=athlon64 -mtune=athlon64 -msse3 -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -march=athlon64 -mtune=athlon64 -msse3 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,--as-needed"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl amd64 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl sse sse2 ssl tcpd truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

manitsbt works with it. Please, mark stable.
Comment 39 Steve Dibb (RETIRED) gentoo-dev 2008-02-28 04:30:17 UTC
amd64 stable
Comment 40 Peter Volkov (RETIRED) gentoo-dev 2008-02-28 08:54:52 UTC
Fixed in release snapshot.
Comment 41 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-28 13:17:11 UTC
This one is ready for GLSA vote.
Comment 42 Jakub Moc (RETIRED) gentoo-dev 2008-03-03 16:27:31 UTC
Removing remaining arches, we're going to have another stabilization round for 5.2.6_rc1 and I guess the GLSA could wait for that as well. :)
Comment 43 Hans Rakers 2008-03-03 16:53:37 UTC
(In reply to comment #42)
> Removing remaining arches, we're going to have another stabilization round for
> 5.2.6_rc1 and I guess the GLSA could wait for that as well. :)
> 

Ehm, you are seriously thinking about stabilizing a php RC? RC1 even... History has taught me that PHP RC's are far from stable. Even final releases have been pulled in the past due to serious fuckups!

Seriously, leave the testing to the PHP QA team, and don't go stabilizing PHP release candidates!

I totally understand your frustration about the fuckups upstream and the constant need for patches, but i don't understand why the recent security issues with 5.2.5 resulted in the stabilization of SVN checkouts of 5.2 HEAD (and the current plan to stabilize 5.2.6RC1). 

Why not just wait until the final release?
Comment 44 Jakub Moc (RETIRED) gentoo-dev 2008-03-03 17:11:26 UTC
(In reply to comment #43)
> Ehm, you are seriously thinking about stabilizing a php RC? RC1 even... 

Yeah, seriously. It's no worse than stabilizing a CVS snapshot... :P See Bug 212211 for tons of other reasons.
Comment 45 Christian Hoffmann (RETIRED) gentoo-dev 2008-03-03 17:14:45 UTC
(In reply to comment #43)

Hans, we do not like stabling non-release versions of php either. We cannot
leave security issues unfixed for such a long time (we are going to write an
open letter regarding this to php upstream) and only have two possibilities:
Grabbing all patches from CVS and patching the most recent release or packaging
a snapshot. In case of php-5.2.5 we decided to go with a snapshot as the amount
of patches was very high and we (or rather I) thought it would be less work for
us and less troublesome for users. As you know, it turned out to be a very
troublesome snapshot. I already noted on IRC that I'll probably never package a
snapshot again and go through the hard process of grabbing all patches from CVS
instead.
This has happened and can't be reverted. I'd not consider my acting wrong,
rather sub-optimal.
Stabling a release candidate is still way better than leaving the snapshot
latest stable, so I still think this is the right thing to do now.

Sorry for any inconvenience, things simply do not work as expected everytime...
Comment 46 Hans Rakers 2008-03-03 22:32:14 UTC
Aw crap, bug 212211 looks serious indeed. Ok i will test the rc1 ebuild on one of our dev boxes tomorrow and report back if wanted/needed.

Thanks for the clear answer Christian. I understand your position, especially after seeing bug 212211 :)
Comment 47 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:23:59 UTC
This should be glsa'd together with bug #212211.
Comment 48 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-16 16:14:41 UTC
GLSA 200811-05, thanks everyone, especially hoffie.