Debian 9858 Published by

Debian Developer Ondřej Surý has released updated PHP 5.6.40, PHP 7.0.33 packages as well new 7.1.28, 7.2.17, and 7.3.4 packages for Debian GNU/Linux 8, 9 and 10



PHP 5.6.40 (Updated)
Backported from 7.1.28

- EXIF:
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)

- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)

Backported from 7.1.27

- Core:
. Fixed bug #77630 (rename() across the device may allow unwanted access during
processing). (Stas)

- EXIF:
. Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas)
. Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas)
. Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
. Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)

- PHAR:
. Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename).
(bishop)
. Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop)

- SPL:
. Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb)
PHP 7.0.33 (Updated)
Backported from 7.1.28

- EXIF:
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)

- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)

Backported from 7.1.27

- Core:
. Fixed bug #77630 (rename() across the device may allow unwanted access during
processing). (Stas)

- EXIF:
. Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas)
. Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas)
. Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)
. Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas)

- PHAR:
. Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename).
(bishop)
. Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop)

- SPL:
. Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb)

Backported from 7.1.26

- GD:
. Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)

- Mbstring:
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
. Fixed bug #77371 (heap buffer overflow in mb regex functions
- compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
. Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
. Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)

- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)

- Xmlrpc:
. Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
. Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
PHP 7.1.28
- EXIF:
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)

- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)
PHP 7.2.17
- Core:
. Fixed bug #77738 (Nullptr deref in zend_compile_expr). (Laruence)
. Fixed bug #77660 (Segmentation fault on break 2147483648). (Laruence)
. Fixed bug #77652 (Anonymous classes can lose their interface information).
(Nikita)
. Fixed bug #77676 (Unable to run tests when building shared extension on
AIX). (Kevin Adler)

- Bcmath:
. Fixed bug #77742 (bcpow() implementation related to gcc compiler
optimization). (Nikita)

- COM:
. Fixed bug #77578 (Crash when php unload). (cmb)

- Date:
. Fixed bug #50020 (DateInterval:createDateFromString() silently fails).
(Derick)
. Fixed bug #75113 (Added DatePeriod::getRecurrences() method). (Ignace
Nyamagana Butera)

- EXIF:
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)

- FPM:
. Fixed bug #77677 (FPM fails to build on AIX due to missing WCOREDUMP).
(Kevin Adler)

- GD:
. Fixed bug #77700 (Writing truecolor images as GIF ignores interlace flag).
(cmb)

- MySQLi:
. Fixed bug #77597 (mysqli_fetch_field hangs scripts). (Nikita)

- Opcache:
. Fixed bug #77691 (Opcache passes wrong value for inline array push
assignments). (Nikita)
. Fixed bug #77743 (Incorrect pi node insertion for jmpznz with identical
successors). (Nikita)

- phpdbg:
. Fixed bug #77767 (phpdbg break cmd aliases listed in help do not match
actual aliases). (Miriam Lauter)

- sodium:
. Fixed bug #77646 (sign_detached() strings not terminated). (Frank)

- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)

- Standard:
. Fixed bug #77664 (Segmentation fault when using undefined constant in
custom wrapper). (Laruence)
. Fixed bug #77669 (Crash in extract() when overwriting extracted array).
(Nikita)
. Fixed bug #76717 (var_export() does not create a parsable value for
PHP_INT_MIN). (Nikita)
. Fixed bug #77765 (FTP stream wrapper should set the directory as
PHP 7.3.4
- Core:
. Fixed bug #77738 (Nullptr deref in zend_compile_expr). (Laruence)
. Fixed bug #77660 (Segmentation fault on break 2147483648). (Laruence)
. Fixed bug #77652 (Anonymous classes can lose their interface information).
(Nikita)
. Fixed bug #77345 (Stack Overflow caused by circular reference in garbage
collection). (Alexandru Patranescu, Nikita, Dmitry)
. Fixed bug #76956 (Wrong value for 'syslog.filter' documented in php.ini).
(cmb)

- Apache2Handler:
. Fixed bug #77648 (BOM in sapi/apache2handler/php_functions.c). (cmb)

- Bcmath:
. Fixed bug #77742 (bcpow() implementation related to gcc compiler
optimization). (Nikita)

- CLI Server:
. Fixed bug #77722 (Incorrect IP set to $_SERVER['REMOTE_ADDR'] on the
localhost). (Nikita)

- COM:
. Fixed bug #77578 (Crash when php unload). (cmb)

- EXIF:
. Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
. Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)

- FPM:
. Fixed bug #77677 (FPM fails to build on AIX due to missing WCOREDUMP).
(Kevin Adler)

- GD:
. Fixed bug #77700 (Writing truecolor images as GIF ignores interlace flag).
(cmb)

- MySQLi:
. Fixed bug #77597 (mysqli_fetch_field hangs scripts). (Nikita)

- Opcache:
. Fixed bug #77743 (Incorrect pi node insertion for jmpznz with identical
successors). (Nikita)

- Phar:
. Fxied bug #77697 (Crash on Big_Endian platform). (Laruence)

- phpdbg:
. Fixed bug #77767 (phpdbg break cmd aliases listed in help do not match
actual aliases). (Miriam Lauter)

- sodium:
. Fixed bug #77646 (sign_detached() strings not terminated). (Frank)

- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)

- Standard:
. Fixed bug #77664 (Segmentation fault when using undefined constant in
custom wrapper). (Laruence)
. Fixed bug #77669 (Crash in extract() when overwriting extracted array).
(Nikita)
. Fixed bug #76717 (var_export() does not create a parsable value for
PHP_INT_MIN). (Nikita)
. Fixed bug #77765 (FTP stream wrapper should set the directory as
executable). (Vlad Temian)
  New PHP 5.6-7.3 Packages for Debian