Debian Bug report logs - #658893
Call-time pass-by-reference has been removed from php5 (>= 5.4)

version graph

Package: lwat; Maintainer for lwat is Patrick Winnertz <winnie@debian.org>;

Reported by: Ondřej Surý <ondrej@debian.org>

Date: Mon, 6 Feb 2012 15:57:05 UTC

Severity: serious

Tags: sid, wheezy

Found in version lwat/0.17-4.2

Fixed in version 0.17-4.2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Mon, 06 Feb 2012 15:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
New Bug report received and forwarded. Copy sent to Patrick Winnertz <winnie@debian.org>. (Mon, 06 Feb 2012 15:57:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Call-time pass-by-reference has been removed from php5 (>= 5.4)
Date: Mon, 06 Feb 2012 16:52:57 +0100
Package: lwat
Version: 0.17-4.2
Severity: important
User: pkg-php-maint@lists.alioth.debian.org
Usertags: php54

Dear maintainer,

package lwat currently fails to parse correctly with
PHP 5.4 with following error(s):

PHP Parse error:  syntax error, unexpected '$base' (T_VARIABLE) in /usr/share/doc/lwat/examples/dummy-config.php on line 10
Errors parsing /usr/share/doc/lwat/examples/dummy-config.php
PHP Fatal error:  Call-time pass-by-reference has been removed in /usr/share/lwat/web/import.php on line 102
Errors parsing /usr/share/lwat/web/import.php

These error were generated by php in the lint mode.  To reproduce
please install php5-cli and run:

dpkg -L lwat | grep -E ".php[54]?" | xargs -i php -l {}

PHP 5.4 is planned to be included in wheezy, as such, this bug might
become RC if not fixed before 5.4 is uploaded to sid.

Thanks, 
--
Ondřej Surý <ondrej@debian.org>

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Severity set to 'serious' from 'important' Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 30 Mar 2012 15:24:06 GMT) Full text and rfc822 format available.

Added indication that bug 658893 blocks 666411 Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 30 Mar 2012 15:24:14 GMT) Full text and rfc822 format available.

Added tag(s) sid and wheezy. Request was from Gerfried Fuchs <rhonda@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 19:51:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 14:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 14:27:06 GMT) Full text and rfc822 format available.

Message #16 received at 658893@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: php5@packages.debian.org
Cc: debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: php5 testing transition
Date: Sat, 05 May 2012 15:24:00 +0100
Hi,

I'd like to try and get php5 migrated to testing over the next couple of
days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
had been in unstable for a month already and the diff from that looks
sane enough once you drop the auto-generated files.

The migration also implies aging some NMUs for packages which php5 now
breaks - specifically phpreports, php-{kolab-filter,openid,radius} and
zoph - but again the diffs look reasonable.  lwat would need removing,
but it's also had no upload of any variety in nearly 18 months and no
response to the "broken by php5.4" bug which has been serious for over a
month.

Thoughts?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 15:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 15:45:02 GMT) Full text and rfc822 format available.

Message #21 received at 658893@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: php5 testing transition
Date: Sat, 5 May 2012 17:42:03 +0200
Hi Adam,

On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> I'd like to try and get php5 migrated to testing over the next couple of
> days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> had been in unstable for a month already and the diff from that looks
> sane enough once you drop the auto-generated files.

From a security standpoint I'd like to add that we expect a new PHP
upstream rsn because of the highly publicised cgi vulnerability. I'm not
sure if it would affect your transition plan though; I thought I'd mention
it to be sure.


Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 15:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 15:51:09 GMT) Full text and rfc822 format available.

Message #26 received at 658893@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: php5 testing transition
Date: Sat, 05 May 2012 16:47:25 +0100
On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> > I'd like to try and get php5 migrated to testing over the next couple of
> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> > had been in unstable for a month already and the diff from that looks
> > sane enough once you drop the auto-generated files.
> 
> From a security standpoint I'd like to add that we expect a new PHP
> upstream rsn because of the highly publicised cgi vulnerability. I'm not
> sure if it would affect your transition plan though; I thought I'd mention
> it to be sure.

For some reason I had it in my head that 5.4.2 was the upstream version
with the fixed fix rather than the not-quite fixed fix.  That was part
of the motivation for the transition (also so that we could start the
uw-imap transition, which involves binNMUing php5), so I guess we should
wait for that and hope it is indeed soon and that the diff from 5.4.2
isn't big.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 18:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 18:45:03 GMT) Full text and rfc822 format available.

Message #31 received at 658893@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Thijs Kinkhorst <thijs@debian.org>, php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Sat, 5 May 2012 20:39:46 +0200
On Sat, May 5, 2012 at 5:47 PM, Adam D. Barratt
<adam@adam-barratt.org.uk> wrote:
> On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
>> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
>> > I'd like to try and get php5 migrated to testing over the next couple of
>> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
>> > had been in unstable for a month already and the diff from that looks
>> > sane enough once you drop the auto-generated files.
>>
>> From a security standpoint I'd like to add that we expect a new PHP
>> upstream rsn because of the highly publicised cgi vulnerability. I'm not
>> sure if it would affect your transition plan though; I thought I'd mention
>> it to be sure.
>
> For some reason I had it in my head that 5.4.2 was the upstream version
> with the fixed fix rather than the not-quite fixed fix.

I think this is the case (e.g. 5.4.2 is the fixed version).

And in fact I was going to ask release team to help with transition after
it ages a little bit and fixed r-deps are 10 days old.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sat, 05 May 2012 18:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sat, 05 May 2012 18:51:11 GMT) Full text and rfc822 format available.

Message #36 received at 658893@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ondřej Surý <ondrej@debian.org>
Cc: Thijs Kinkhorst <thijs@debian.org>, php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Sat, 05 May 2012 19:49:20 +0100
On Sat, 2012-05-05 at 20:39 +0200, Ondřej Surý wrote:
> On Sat, May 5, 2012 at 5:47 PM, Adam D. Barratt
> <adam@adam-barratt.org.uk> wrote:
> > On Sat, 2012-05-05 at 17:42 +0200, Thijs Kinkhorst wrote:
> >> On Sat, May 5, 2012 16:24, Adam D. Barratt wrote:
> >> > I'd like to try and get php5 migrated to testing over the next couple of
> >> > days.  This does mean aging the 5.4.2-1 upload somewhat, but 5.4.1~rc1-1
> >> > had been in unstable for a month already and the diff from that looks
> >> > sane enough once you drop the auto-generated files.
> >>
> >> From a security standpoint I'd like to add that we expect a new PHP
> >> upstream rsn because of the highly publicised cgi vulnerability. I'm not
> >> sure if it would affect your transition plan though; I thought I'd mention
> >> it to be sure.
> >
> > For some reason I had it in my head that 5.4.2 was the upstream version
> > with the fixed fix rather than the not-quite fixed fix.
> 
> I think this is the case (e.g. 5.4.2 is the fixed version).

I assume Thijs was referring to CVE-2012-2311, which covers the fix in
5.4.2 being incomplete.

> And in fact I was going to ask release team to help with transition after
> it ages a little bit and fixed r-deps are 10 days old.

I did notice that some of the NMUs for the r-deps were still quite
young, but the changes are largely trivial and in most cases affect only
a few lines of code so I'd be quite happy to age any/all of them.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Sun, 06 May 2012 08:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Sun, 06 May 2012 08:03:03 GMT) Full text and rfc822 format available.

Message #41 received at 658893@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: "Ondrej Sury" <ondrej@debian.org>, php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Sun, 6 May 2012 10:00:42 +0200
On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>> > For some reason I had it in my head that 5.4.2 was the upstream
>> version
>> > with the fixed fix rather than the not-quite fixed fix.
>>
>> I think this is the case (e.g. 5.4.2 is the fixed version).
>
> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
> 5.4.2 being incomplete.

PHP 5.4.2 does not fix the issue. Please see:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html
https://twitter.com/i0n1c/status/198158078913417216


Cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Mon, 07 May 2012 08:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Mon, 07 May 2012 08:03:03 GMT) Full text and rfc822 format available.

Message #46 received at 658893@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: php5@packages.debian.org
Cc: debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Mon, 7 May 2012 10:02:19 +0200
On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote:
> On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
>> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>>> > For some reason I had it in my head that 5.4.2 was the upstream
>>> version
>>> > with the fixed fix rather than the not-quite fixed fix.
>>>
>>> I think this is the case (e.g. 5.4.2 is the fixed version).
>>
>> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
>> 5.4.2 being incomplete.
>
> PHP 5.4.2 does not fix the issue.

PHP upstream has now announced new releases for tomorrow, which also fix
another security issue:
http://www.php.net/archive/2012.php#id2012-05-06-1

It would be great if we could get that into unstable swiftly and then
start the migration process.


Cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Tue, 08 May 2012 21:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Tue, 08 May 2012 21:42:12 GMT) Full text and rfc822 format available.

Message #51 received at 658893@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Tue, 08 May 2012 22:38:43 +0100
On Mon, 2012-05-07 at 10:02 +0200, Thijs Kinkhorst wrote:
> PHP upstream has now announced new releases for tomorrow, which also fix
> another security issue:
> http://www.php.net/archive/2012.php#id2012-05-06-1
> 
> It would be great if we could get that into unstable swiftly and then
> start the migration process.

Unfortunately, there's a slight problem with this.

php5 produces a php5-mysql binary package, and a mysql-5.5 package
taking over libmysqlclient-dev hit unstable this morning.  That means
that php5-mysql will end up with a dependency on libmysqlclient18, which
isn't in testing.  php5-mysql appears to have a bunch of r-deps, so
breaking it temporarily probably isn't the greatest plan either.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Winnertz <winnie@debian.org>:
Bug#658893; Package lwat. (Tue, 08 May 2012 21:48:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Patrick Winnertz <winnie@debian.org>. (Tue, 08 May 2012 21:48:13 GMT) Full text and rfc822 format available.

Message #56 received at 658893@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: php5@packages.debian.org, debian-release@lists.debian.org, 658893@bugs.debian.org
Subject: Re: [php-maint] php5 testing transition
Date: Tue, 08 May 2012 22:46:10 +0100
On Tue, 2012-05-08 at 22:38 +0100, Adam D. Barratt wrote:
> On Mon, 2012-05-07 at 10:02 +0200, Thijs Kinkhorst wrote:
> > PHP upstream has now announced new releases for tomorrow, which also fix
> > another security issue:
> > http://www.php.net/archive/2012.php#id2012-05-06-1
> > 
> > It would be great if we could get that into unstable swiftly and then
> > start the migration process.
> 
> Unfortunately, there's a slight problem with this.
> 
> php5 produces a php5-mysql binary package, and a mysql-5.5 package
> taking over libmysqlclient-dev hit unstable this morning.  That means
> that php5-mysql will end up with a dependency on libmysqlclient18, which
> isn't in testing.  php5-mysql appears to have a bunch of r-deps, so
> breaking it temporarily probably isn't the greatest plan either.

Julien pointed out on IRC that I possibly panicked a little too much
here.  mysql-5.{1,5} are separate source packages, so we'd "just" need
to wait for mysql-5.5 to be migratable.

Regards,

Adam





Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Thu, 10 May 2012 18:21:40 GMT) Full text and rfc822 format available.

Notification sent to Ondřej Surý <ondrej@debian.org>:
Bug acknowledged by developer. (Thu, 10 May 2012 18:21:40 GMT) Full text and rfc822 format available.

Message #61 received at 658893-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 434796-done@bugs.debian.org,434797-done@bugs.debian.org,443546-done@bugs.debian.org,444274-done@bugs.debian.org,457840-done@bugs.debian.org,499707-done@bugs.debian.org,499708-done@bugs.debian.org,504003-done@bugs.debian.org,568407-done@bugs.debian.org,573043-done@bugs.debian.org,573825-done@bugs.debian.org,576177-done@bugs.debian.org,576178-done@bugs.debian.org,576179-done@bugs.debian.org,658893-done@bugs.debian.org,669810-done@bugs.debian.org,
Cc: lwat@packages.debian.org, lwat@packages.qa.debian.org
Subject: Bug#672227: Removed package(s) from unstable
Date: Thu, 10 May 2012 18:20:03 +0000
Version: 0.17-4.2+rm

Dear submitter,

as the package lwat has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/672227

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jun 2012 07:49:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:18:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.