Summary: | dev-libs/libxml2-2.7.x breaks the xml_parse_into_struct php function | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | valli <gentoo> |
Component: | New packages | Assignee: | PHP Bugs <php-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | craig, gnome, hanno, hans, jer, security, steeeeeveee, TrinitronX, wladyx |
Priority: | High | Keywords: | InVCS, STABLEREQ |
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
URL: | http://bugs.php.net/45996 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
valli
2008-12-03 12:58:33 UTC
Is there an UPSTREAM bug report? MT`AwAy reported this on #gentoo-php yesterday already and did some investigation (thanks!). Here is the outcome: PHP messes with libxml2-internal data structures, which changed in the new 2.7 version. There are multiple ways to mitigate the problem: a) Mask libxml2-2.7.x b) Have PHP block >=libxml2-2.7 c) Patch libxml2 to revert these changes d) Patch PHP to work with the changes e) Have PHP link to expat explicitly, which disables the compat layer, which is the only part in PHP which exhibits this problem a) and b) are not possible for security reasons and because the problem is limited to PHP and it's great property of playing with non-API parts of a library (these statements are based on the findings by the mentioned user). c) is not a nice solution for similar reasons. d) would be the best solution, but someone would have to fully research the issue first and prepare a patch... (might be impossible to do, after all, who knows). e) would be the next solution, which I could think of; should not have any side effects, but it introduces a new dependency on expat... Moving the bug to php team as this is more likely a problem in PHP than in libxml2, at least this is my current understanding. This bug seems to be known already, see $URL. No really new information though... During the latest libxml2 security bugs embargo lift date I asked upstream if they are releasing a new version for the security bug. The answer was basically to patch it, so that a 2.7.2 release can contain a fix or workaround for some then unspecified (to me) PHP expat problem. I assume there's a libxml2 upstream bug report too then gnome: I just backported the security fix (CVS-2008-4225, CVE-2008-4226) from bug #245960 to libxml2-2.6.32-r1, please stabilize 2.6.32-r1 ASAP, and package.mask 2.7.x. security: you're going to need to update the GLSA because of the breakage that 2.7.x is causing. severity raised to critical because it managed to temporarily break at least one infra box before I caught it and downgraded again. Can't PHP stop using private struct members or what's the real issue here? They are talking about some mysterious patch I want to see, validate and include.. I can't see an ABI compatible fix for CVE-2008-3281 and a fix for CVE-2008-3529 in libxml2-2.6.32-r1. I believe one of them deals with entities and that security fix might break PHP... This should be fixed in PHP rather than masking latest versions of libxml2. With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur. Please stabilize it. According the latest posts from scottmac and rrichards in http://bugs.php.net/45996 the bug is in libxml2 (not in php). Although I can't find neither a libxml2 patch nor a entry in the libxml2 bug reporting tool. (In reply to comment #8) > With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur. > Please stabilize it. > 2.6.32-r1 is dead and for good reason, it caused more breakage than expected and was punted as soon as 2.7 entered the tree to fix security issues. It means 2.6.32 and lower have security issues and there is no way we mask later releases. We will wait until the libxml patch is available to provided a fixed libxml in gentoo. In the meantime, workarounds have been described on the php bug already. (In reply to comment #8) > With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur. > Please stabilize it. It has two known security bugs, not a responsible thing to do... > According the latest posts from scottmac and rrichards in > http://bugs.php.net/45996 the bug is in libxml2 (not in php). No, it is not really a bug in libxml2 in its true sense. It is PHP using it in a way that was not officially supported by libxml2. SAX/expat like parsing or something like that? Anyway, yes, the solution can happen in libxml2 as a new public feature, and rrichards is working on that in cooperation of libxml2 author. > Although I can't find neither a libxml2 patch > nor a entry in the libxml2 bug reporting tool. Neither could I, but stuff is moving now between PHP and libxml2 respective authors/maintainers. I will not OK a stabilization of 2.6.32-r1 when it has known security bugs. Also, it shouldn't be called -r1, because -r1 was an old revision that broke ABI and was in ~arch for a day before p.masked and then removed, so it should be -r2, but it shouldn't be at all if there are the known security bugs there. Fix for one of the security bugs to my knowledge was what made it incompatible with the way PHP was using it in the first place I think (but not sure). gnome team, can you please provide a 2.7.x ebuild with this changeset applied? http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3807 According to Richard, there will be a new release of libxml2 with this change around 20th of January, but I think we could fix this earlier. I'll provide a new revision of php to make the necessary changes there in a minute. (In reply to comment #11) > gnome team, can you please provide a 2.7.x ebuild with this changeset applied? > http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3807 Included in dev-libs/libxml2-2.7.2-r2 So done from our side. > According to Richard, there will be a new release of libxml2 with this change > around 20th of January, but I think we could fix this earlier. By latest 20th January, hopefully much earlier. But now we aren't in a rush anymore with that. > I'll provide a new revision of php to make the necessary changes there in a > minute. Go right ahead :) I'm slacking, I know. :) php-5.2.8-r2 is in the tree now, which has the fix, along with some others. Arches, please make sure that no ext/xml/tests* fails, when testing this version. To fix this bug, we need the following packages stable: =dev-libs/libxml2-2.7.2-r2 =dev-lang/php-5.2.8-r2 Target keywords: alpha amd64 arm hppa ia64 (m68k) ppc ppc64 s390 sh sparc x86 (Technically m68k is not needed, because php isn't keyworded for it, but I guess we want libxml2 KEYWORDS to be the same on all arches). I will request stabilization in the next 1-2 days, leio already gave his OK for libxml2-2.7.2-r2. In the meantime, some positive (real world) test reports would be great. :) Thanks for fixing this! I tested =dev-libs/libxml2-2.7.2-r2 =dev-lang/php-5.2.8-r2 on amd64 with some typo3 installations. No problems so far. Arches, please mark the versions of libxml and php as noted in comment 13 stable. (Why I've waited for so long? Mainly for time reason, but hanno also reported a regression because of another bugfix (Apache/mod_php)). Adding arches ;) Stable for HPPA. (In reply to comment #16) > Adding arches ;) > You forgot alpha and amd64. Added. amd64 stable. dev-libs/libxml2-2.7.2-r2: all tests passed. dev-lang/php-5.2.8-r2: TEST RESULT SUMMARY --------------------------------------------------------------------- Exts skipped : 42 Exts tested : 37 --------------------------------------------------------------------- Number of tests : 6610 4884 Tests borked : 1 ( 0.0%) -------- Tests skipped : 1725 ( 26.1%) -------- Tests warned : 1 ( 0.0%) ( 0.0%) Tests failed : 4 ( 0.1%) ( 0.1%) Expected fail : 0 ( 0.0%) ( 0.0%) Tests passed : 4879 ( 73.8%) ( 99.9%) --------------------------------------------------------------------- Time taken : 345 seconds ===================================================================== ===================================================================== BORKED TEST SUMMARY --------------------------------------------------------------------- duplicated INI section [/var/tmp/portage/dev-lang/php-5.2.8-r2/work/php-5.2.8/ext/json/tests/bug41567.phpt] ===================================================================== ===================================================================== FAILED TEST SUMMARY --------------------------------------------------------------------- Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) [ext/pdo_mysql/tests/bug41125.phpt] Bug #44327 (PDORow::queryString property & numeric offsets / Crash) [ext/pdo_mysql/tests/bug44327.phpt] readline_callback_handler_install(): Basic test [ext/readline/tests/readline_callback_handler_install_001.phpt] readline_callback_handler_remove(): Basic test [ext/readline/tests/readline_callback_handler_remove_001.phpt] htmlentities() test 4 (setlocale / ja_JP.EUC-JP) [ext/standard/tests/strings/htmlentities04.phpt] (warn: possibly braindead libc) ppc64 done ppc stable Hello, I have been trying to update php to a more recent version due to the GLSA 200811-05. However, this dependency is masked in gentoo-hardened. Are these fixes stable for i686 and gentoo-hardened profile yet? $ emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6" Calculating dependencies / !!! All ebuilds that could satisfy ">=dev-libs/libxml2-2.7.2-r2" have been masked. !!! One of the following masked packages is required to complete your request: - dev-libs/libxml2-2.7.2-r2 (masked by: ~x86 keyword) For more information, see MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. (dependency required by "dev-lang/php-5.2.8-r2" [ebuild]) x86 stable Jim, please retry now after syncing. Stable on alpha. IUSE.invalid 3 dev-lang/php/php-5.2.6-r7.ebuild: pic dev-lang/php/php-5.2.8-r1.ebuild: pic dev-lang/php/php-5.2.8-r2.ebuild: pic sparc stable arm/ia64 stable m68k/s390/sh stable I wonder why this bug is still open, both php and libxml2 have been fixed and stable on all required arches... so, closing. Thanks to all involved parties. :) |