Debian Bug report logs - #658893
Call-time pass-by-reference has been removed from php5 (>= 5.4)

Package: lwat; Maintainer for lwat is (unknown);

Reported by: Ondřej Surý <ondrej@debian.org>

Date: Mon, 6 Feb 2012 15:57:05 UTC

Severity: serious

Tags: sid, wheezy

Found in version lwat/0.17-4.2

Fixed in version 0.17-4.2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Mon, 06 Feb 2012 15:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
New Bug report received and forwarded. Copy sent to Patrick Winnertz <winnie@debian.org>. (Mon, 06 Feb 2012 15:57:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: lwat
Version: 0.17-4.2
Severity: important
User: pkg-php-maint@lists.alioth.debian.org
Usertags: php54

Dear maintainer,

package lwat currently fails to parse correctly with
PHP 5.4 with following error(s):

PHP Parse error:  syntax error, unexpected '$base' (T_VARIABLE) in /usr/share/doc/lwat/examples/dummy-config.php on line 10
Errors parsing /usr/share/doc/lwat/examples/dummy-config.php
PHP Fatal error:  Call-time pass-by-reference has been removed in /usr/share/lwat/web/import.php on line 102
Errors parsing /usr/share/lwat/web/import.php

These error were generated by php in the lint mode.  To reproduce
please install php5-cli and run:

dpkg -L lwat | grep -E ".php[54]?" | xargs -i php -l {}

PHP 5.4 is planned to be included in wheezy, as such, this bug might
become RC if not fixed before 5.4 is uploaded to sid.

Thanks, 
--
Ondřej Surý <ondrej@debian.org>

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Severity set to 'serious' from 'important' Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 30 Mar 2012 15:24:06 GMT) (full text, mbox, link).

Added indication that bug 658893 blocks 666411 Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 30 Mar 2012 15:24:14 GMT) (full text, mbox, link).

Added tag(s) sid and wheezy. Request was from Gerfried Fuchs <rhonda@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 19:51:11 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 14:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 14:27:06 GMT) (full text, mbox, link).

Message #16 received at 658893@bugs.debian.org (full text, mbox, reply):

Hi,

I'd like to try and get php5 migrated to testing over the next couple of
days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
had been in unstable for a month already and the diff from that looks
sane enough once you drop the auto-generated files.

The migration also implies aging some NMUs for packages which php5 now
breaks - specifically phpreports, php-{kolab-filter,openid,radius} and
zoph - but again the diffs look reasonable.  lwat would need removing,
but it's also had no upload of any variety in nearly 18 months and no
response to the "broken by php5.4" bug which has been serious for over a
month.

Thoughts?

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 15:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 15:45:02 GMT) (full text, mbox, link).

Message #21 received at 658893@bugs.debian.org (full text, mbox, reply):

Hi Adam,

On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> I'd like to try and get php5 migrated to testing over the next couple of
> days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> had been in unstable for a month already and the diff from that looks
> sane enough once you drop the auto-generated files.

From a security standpoint I'd like to add that we expect a new PHP
upstream rsn because of the highly publicised cgi vulnerability. I'm not
sure if it would affect your transition plan though; I thought I'd mention
it to be sure.

Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 15:51:06 GMT) (full text, mbox, link).

Message #26 received at 658893@bugs.debian.org (full text, mbox, reply):

On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> > I'd like to try and get php5 migrated to testing over the next couple of
> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> > had been in unstable for a month already and the diff from that looks
> > sane enough once you drop the auto-generated files.
> 
> From a security standpoint I'd like to add that we expect a new PHP
> upstream rsn because of the highly publicised cgi vulnerability. I'm not
> sure if it would affect your transition plan though; I thought I'd mention
> it to be sure.

For some reason I had it in my head that 5.4.2 was the upstream version
with the fixed fix rather than the not-quite fixed fix.  That was part
of the motivation for the transition (also so that we could start the
uw-imap transition, which involves binNMUing php5), so I guess we should
wait for that and hope it is indeed soon and that the diff from 5.4.2
isn't big.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 18:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to OndÅej SurÃ½ <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 18:45:03 GMT) (full text, mbox, link).

Message #31 received at 658893@bugs.debian.org (full text, mbox, reply):

On Sat, May 5, 2012 at 5:47 PM, Adam D. Barratt
<adam@adam-barratt.org.uk> wrote:
> On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
>> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
>> > I'd like to try and get php5 migrated to testing over the next couple of
>> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
>> > had been in unstable for a month already and the diff from that looks
>> > sane enough once you drop the auto-generated files.
>>
>> From a security standpoint I'd like to add that we expect a new PHP
>> upstream rsn because of the highly publicised cgi vulnerability. I'm not
>> sure if it would affect your transition plan though; I thought I'd mention
>> it to be sure.
>
> For some reason I had it in my head that 5.4.2 was the upstream version
> with the fixed fix rather than the not-quite fixed fix.

I think this is the case (e.g. 5.4.2 is the fixed version).

And in fact I was going to ask release team to help with transition after
it ages a little bit and fixed r-deps are 10 days old.

O.
-- 
Ondřej Surý <ondrej@sury.org>

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 18:51:11 GMT) (full text, mbox, link).

Message #36 received at 658893@bugs.debian.org (full text, mbox, reply):

On Sat, 2012-05-05 at 20:39 +0200, Ondřej Surý wrote:
> On Sat, May 5, 2012 at 5:47 PM, Adam D. Barratt
> <adam@adam-barratt.org.uk> wrote:
> > On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
> >> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> >> > I'd like to try and get php5 migrated to testing over the next couple of
> >> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> >> > had been in unstable for a month already and the diff from that looks
> >> > sane enough once you drop the auto-generated files.
> >>
> >> From a security standpoint I'd like to add that we expect a new PHP
> >> upstream rsn because of the highly publicised cgi vulnerability. I'm not
> >> sure if it would affect your transition plan though; I thought I'd mention
> >> it to be sure.
> >
> > For some reason I had it in my head that 5.4.2 was the upstream version
> > with the fixed fix rather than the not-quite fixed fix.
> 
> I think this is the case (e.g. 5.4.2 is the fixed version).

I assume Thijs was referring to CVE-2012-2311, which covers the fix in
5.4.2 being incomplete.

> And in fact I was going to ask release team to help with transition after
> it ages a little bit and fixed r-deps are 10 days old.

I did notice that some of the NMUs for the r-deps were still quite
young, but the changes are largely trivial and in most cases affect only
a few lines of code so I'd be quite happy to age any/all of them.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sun, 06 May 2012 08:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 06 May 2012 08:03:03 GMT) (full text, mbox, link).

Message #41 received at 658893@bugs.debian.org (full text, mbox, reply):

On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>> > For some reason I had it in my head that 5.4.2 was the upstream
>> version
>> > with the fixed fix rather than the not-quite fixed fix.
>>
>> I think this is the case (e.g. 5.4.2 is the fixed version).
>
> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
> 5.4.2 being incomplete.

PHP 5.4.2 does not fix the issue. Please see:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html
https://twitter.com/i0n1c/status/198158078913417216

Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Mon, 07 May 2012 08:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Mon, 07 May 2012 08:03:03 GMT) (full text, mbox, link).

Message #46 received at 658893@bugs.debian.org (full text, mbox, reply):

On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote:
> On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
>> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>>> > For some reason I had it in my head that 5.4.2 was the upstream
>>> version
>>> > with the fixed fix rather than the not-quite fixed fix.
>>>
>>> I think this is the case (e.g. 5.4.2 is the fixed version).
>>
>> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
>> 5.4.2 being incomplete.
>
> PHP 5.4.2 does not fix the issue.

PHP upstream has now announced new releases for tomorrow, which also fix
another security issue:
http://www.php.net/archive/2012.php#id2012-05-06-1

It would be great if we could get that into unstable swiftly and then
start the migration process.


Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Tue, 08 May 2012 21:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Tue, 08 May 2012 21:42:12 GMT) (full text, mbox, link).

Message #51 received at 658893@bugs.debian.org (full text, mbox, reply):

On Mon, 2012-05-07 at 10:02 +0200, Thijs Kinkhorst wrote:
> PHP upstream has now announced new releases for tomorrow, which also fix
> another security issue:
> http://www.php.net/archive/2012.php#id2012-05-06-1
> 
> It would be great if we could get that into unstable swiftly and then
> start the migration process.

Unfortunately, there's a slight problem with this.

php5 produces a php5-mysql binary package, and a mysql-5.5 package
taking over libmysqlclient-dev hit unstable this morning.  That means
that php5-mysql will end up with a dependency on libmysqlclient18, which
isn't in testing.  php5-mysql appears to have a bunch of r-deps, so
breaking it temporarily probably isn't the greatest plan either.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Tue, 08 May 2012 21:48:13 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Tue, 08 May 2012 21:48:13 GMT) (full text, mbox, link).

Message #56 received at 658893@bugs.debian.org (full text, mbox, reply):

On Tue, 2012-05-08 at 22:38 +0100, Adam D. Barratt wrote:
> On Mon, 2012-05-07 at 10:02 +0200, Thijs Kinkhorst wrote:
> > PHP upstream has now announced new releases for tomorrow, which also fix
> > another security issue:
> > http://www.php.net/archive/2012.php#id2012-05-06-1
> > 
> > It would be great if we could get that into unstable swiftly and then
> > start the migration process.
> 
> Unfortunately, there's a slight problem with this.
> 
> php5 produces a php5-mysql binary package, and a mysql-5.5 package
> taking over libmysqlclient-dev hit unstable this morning.  That means
> that php5-mysql will end up with a dependency on libmysqlclient18, which
> isn't in testing.  php5-mysql appears to have a bunch of r-deps, so
> breaking it temporarily probably isn't the greatest plan either.

Julien pointed out on IRC that I possibly panicked a little too much
here.  mysql-5.{1,5} are separate source packages, so we'd "just" need
to wait for mysql-5.5 to be migratable.

Regards,

Adam

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Thu, 10 May 2012 18:21:40 GMT) (full text, mbox, link).

Notification sent to OndÅej SurÃ½ <ondrej@debian.org>:
Bug acknowledged by developer. (Thu, 10 May 2012 18:21:40 GMT) (full text, mbox, link).

Message #61 received at 658893-done@bugs.debian.org (full text, mbox, reply):

Version: 0.17-4.2+rm

Dear submitter,

as the package lwat has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/672227

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jun 2012 07:49:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jan 30 06:42:29 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #658893 Call-time pass-by-reference has been removed from php5 (>= 5.4)

Debian Bug report logs - #658893
Call-time pass-by-reference has been removed from php5 (>= 5.4)