See the advisory for additional info. This was just fixed in our dev-lang/php packages, which also fix an open_basedir/safe_mode bypass in the imap_reopen() function and update Hardened-PHP to 0.4.15 (which fixes various issues with it), compared to our latest stable. Test this time work better (less failures), just remember to have both the "cli" and "cgi" USE flags enabled for all tests to run at their best, and follow the other observations in bug https://bugs.gentoo.org/show_bug.cgi?id=143126#c8 The new packages that need stabling from the arch-teams are dev-lang/php-4.4.4-r4 and dev-lang/php-5.1.6-r4, thanks! Best regards, CHTEKK.
Created attachment 96584 [details] List of tests allowed to fail, based on a x86 install
Luca, thx for the notification. Arches please test and mark stable.
1.) dev-lang/php-5.1.6-r4 emerges fine on x86 with USE="apache2 berkdb cli crypt gdbm ipv6 ldap ncurses nls pcre readline reflection session spell spl ssl threads truetype unicode xml zlib" 2.) passes collision-test 3.) make test has failed the following 2 tests: Test for abstract static classes [Zend/tests/abstract-static.phpt] Bug #20134 (UDP reads from invalid ports) [ext/standard/tests/network/bug20134.phpt] 4.) works with apache2 emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-rc6 i686) ================================================================= System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.4 Last Sync: Sun, 10 Sep 2006 13:30:09 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X aac acpi alsa apache2 asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
1.) dev-lang/php-4.4.4-r4 emerges on x86 with USE="apache2 berkdb cli crypt gdbm ipv6 ldap ncurses nls pcre readline session spell ssl threads truetype unicode xml zlib" QA Notice: the following files contain runtime text relocations Text relocations force the dynamic linker to perform extra work at startup, waste system resources, and may pose a security risk. On some architectures, the code may not even function properly, if at all. For more information, see http://hardened.gentoo.org/pic-fix-guide.xml Please include this file in your report: /var/tmp/portage/php-4.4.4-r4/temp/scanelf-textrel.log TEXTREL usr/lib/apache2/modules/libphp4.so 2.) passes collision-test 3.) the following make test failed: FAILED TEST SUMMARY --------------------------------------------------------------------- Simple POST Method test [tests/basic/002.phpt] GET and POST Method combined [tests/basic/003.phpt] Two variables in POST data [tests/basic/004.phpt] Three variables in POST data [tests/basic/005.phpt] Testing $argc and $argv handling (GET) [tests/basic/011.phpt] Bug #25145 (SEGV on recpt of form input with name like "123[]") [tests/lang/bug25145.phpt] Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt] Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt] Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill color) [ext/gd/tests/bug27582_1.phpt] mb_http_input() [ext/mbstring/tests/mb_http_input.phpt] 4.) but works with apache2 Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-rc6 i686) ================================================================= System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.4 Last Sync: Sun, 10 Sep 2006 13:30:09 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X aac acpi alsa apache2 asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #4) > QA Notice: the following files contain runtime text relocations > TEXTREL usr/lib/apache2/modules/libphp4.so Yes, this is normal, enable the "pic" USE flag to get it without TEXTRELs. We don't do this by default because we benchmarked a ~20% performance hit when building PIC code, PHP Team has confirmed our benchmarks... and that's it. :) > 3.) the following make test failed: > FAILED TEST SUMMARY > --------------------------------------------------------------------- > Simple POST Method test [tests/basic/002.phpt] > GET and POST Method combined [tests/basic/003.phpt] > Two variables in POST data [tests/basic/004.phpt] > Three variables in POST data [tests/basic/005.phpt] > Testing $argc and $argv handling (GET) [tests/basic/011.phpt] > Bug #25145 (SEGV on recpt of form input with name like "123[]") > [tests/lang/bug25145.phpt] > Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt] > Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt] > Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill > color) [ext/gd/tests/bug27582_1.phpt] > mb_http_input() [ext/mbstring/tests/mb_http_input.phpt] All of these are expected, some are in the list of allowed failures, and the others fail because you don't have the "cgi" USE flag enabled. I still need to fix the PHP 4.4 tests to handle that more gracefully. :) Best regards, CHTEKK.
php-4.4.4-r4 and php-5.1.6-r4 marked stable on x86. Thanks for testing.
SPARC stable
ppc64 stable
stable on alpha and amd64.
ppc stable
Stable on ia64.
hppa mailed.
hppa already stable 16 Sep 2006; Rene Nussbaumer <killerfox@gentoo.org> php-4.4.4-r4.ebuild, php-5.1.6-r4.ebuild: Stable on hppa. See bug #147061.
Thx for the note Tobias. This is ready for GLSA vote. I tend to vote NO.
tend to vote no too
Security please vote.
I would also vote NO, safe_mode bypass is not a security flaw.
i vote no-glsa too, and closing. Feel free to reopen if you disagree. ARM, S390, SH, don't forget to stabilize it
*** Bug 152473 has been marked as a duplicate of this bug. ***
