[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb9u1

Hi Cyril,

Le 30/06/2017 à 14:36, Cyril Brulebois a écrit :
> Control: retitle -1 stretch-pu: package phpunit/5.4.6-2~deb9u1
> Control: tag -1 moreinfo

> David Prévot <taffit@debian.org> (2017-06-28):
>> Please, allow this patched version of phpunit, built and tested in a
>> Stretch environment, fixing an arbitrary PHP code execution via HTTP
>> POST [CVE-2017-9841], aka #866200.

> Stretch is Debian 9. :)

Ooops, things are moving so quickly…

> Please post an updated source debdiff with the proper version number for
> a last look before an ACK for the upload.

Attached (with package rebuilt, and tested again), thanks!

Regards

David

diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog
--- phpunit-5.4.6/debian/changelog	2016-06-18 12:34:11.000000000 -1000
+++ phpunit-5.4.6/debian/changelog	2017-06-28 17:03:35.000000000 -1000
@@ -1,3 +1,18 @@
+phpunit (5.4.6-2~deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Upload previous fix to Stretch
+
+ -- David Prévot <taffit@debian.org>  Wed, 28 Jun 2017 17:03:35 -1000
+
+phpunit (5.4.6-2) unstable; urgency=high
+
+  * Team upload
+  * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
+    (Closes: #866200)
+
+ -- David Prévot <taffit@debian.org>  Wed, 28 Jun 2017 16:43:26 -1000
+
 phpunit (5.4.6-1) unstable; urgency=medium
 
   * Team upload
diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch
--- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	1969-12-31 14:00:00.000000000 -1000
+++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	2017-06-28 16:41:16.000000000 -1000
@@ -0,0 +1,34 @@
+From: Bob Weinand <bobwei9@hotmail.com>
+Date: Sun, 13 Nov 2016 18:52:50 +0100
+Subject: Correct fix for #1956
+
+Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
+Bug: https://github.com/sebastianbergmann/phpunit/pull/2356
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200
+---
+ src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +-
+ src/Util/PHP/eval-stdin.php                   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+index 47ef6e4..c7172b9 100644
+--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist
++++ b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test()
+         $output = $test->getActualOutput();
+     }
+ 
+-    rewind(STDOUT);
++    @rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
+     if ($stdout = stream_get_contents(STDOUT)) {
+         $output = $stdout . $output;
+     }
+diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php
+index fe1b8bd..3b3a6d0 100644
+--- a/src/Util/PHP/eval-stdin.php
++++ b/src/Util/PHP/eval-stdin.php
+@@ -1,3 +1,3 @@
+ <?php
+ 
+-eval('?>' . file_get_contents('php://input'));
++eval('?>' . file_get_contents('php://stdin'));
diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series
--- phpunit-5.4.6/debian/patches/series	2016-06-18 12:15:55.000000000 -1000
+++ phpunit-5.4.6/debian/patches/series	2017-06-28 16:41:16.000000000 -1000
@@ -1 +1,2 @@
 0001-Remove-Composer-autoload.patch
+0002-Correct-fix-for-1956.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: