There are some reports about PHP crashes, when using php-imap
(especially with OpenSSL and TSL 1.3). All this problems went away,
when using the panda-cclient instead of the old cclient.
Therefore we make the panda-cclient the new default,
but still allow cclient in order to allow backwards compatibility.
Special thanks to bofh for figuring out the complex details and
the solution!
Special thanks to Jason for being patience and
helpful about so many months!
Reported by: Jason de Cordoba <jason@aventia.pw>
Reviewed by: bofh
Sponsored by: Bounce Experts
Core:
Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
Sponsored by: Bounce Experts
Changelog:
Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
Fixed bug #79330 (shell_exec() silently truncates after a null byte).
Fixed bug #79465 (OOB Read in urldecode()).
Changelog taken from: https://www.php.net/ChangeLog-7.php#7.2.30
Currently when building lang/php72 with MYSQLND=off, its im possible to
build databases/php72-mysqli. When the option MYSQLND was added, we expected
users to not use mysqli at all after disabling this option.
This has proven to be wrong, so we patch the build to be work again.
patch-ext_mysqli_mysqli__api.c was submitted by Сергей <joker@pinnet.ru>.
Changelog:
Core:
Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
Fixed bug #78620 (Out of memory error).
Exif:
Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7) (Kalle)
FPM:
Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)
MBString:
Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
Fixed bug #78609 (mb_check_encoding() no longer supports stringable objects).
MySQLi:
Fixed bug #76809 (SSL settings aren't respected when persistent connections are used).
PDO_MySQL:
Fixed bug #78623 (Regression caused by "SP call yields additional empty result set").
Session:
Fixed bug #78624 (session_gc return value for user defined session handlers).
Standard:
Fixed bug #76342 (file_get_contents waits twice specified timeout).
Fixed bug #78612 (strtr leaks memory when integer keys are used and the subject string shorter).
Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
Zip:
Fixed bug #78641 (addGlob can modify given remove_path value).
Changelog taken from: https://www.php.net/ChangeLog-7.php#7.2.24
MFH: 2019Q4
pkg-message currently states the advice to add WITH_MPM=event
if its build by poudriere and with ZTS option enabled.
This is also true if Synth is used, therefore adding it.
Reported by: Dennis <denradford@gmail.com>
Changelog:
Core:
Fixed bug #77738 (Nullptr deref in zend_compile_expr).
Fixed bug #77660 (Segmentation fault on break 2147483648).
Fixed bug #77652 (Anonymous classes can lose their interface information).
Fixed bug #77676 (Unable to run tests when building shared extension on AIX).
Bcmath:
Fixed bug #77742 (bcpow() implementation related to gcc compiler optimization).
COM:
Fixed bug #77578 (Crash when php unload).
Date:
Fixed bug #50020 (DateInterval:createDateFromString() silently fails).
Fixed bug #75113 (Added DatePeriod::getRecurrences() method).
EXIF:
Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s).
Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
FPM:
Fixed bug #77677 (FPM fails to build on AIX due to missing WCOREDUMP).
GD:
Fixed bug #77700 (Writing truecolor images as GIF ignores interlace flag).
MySQLi:
Fixed bug #77597 (mysqli_fetch_field hangs scripts).
Opcache:
Fixed bug #77691 (Opcache passes wrong value for inline array push assignments).
Fixed bug #77743 (Incorrect pi node insertion for jmpznz with identical successors).
phpdbg:
Fixed bug #77767 (phpdbg break cmd aliases listed in help do not match actual aliases).
sodium:
Fixed bug #77646 (sign_detached() strings not terminated).
SQLite3:
Added sqlite3.defensive INI directive.
Standard:
Fixed bug #77664 (Segmentation fault when using undefined constant in custom wrapper).
Fixed bug #77669 (Crash in extract() when overwriting extracted array).
Fixed bug #76717 (var_export() does not create a parsable value for PHP_INT_MIN).
Fixed bug #77765 (FTP stream wrapper should set the directory as executable).
Changelog taken from: https://www.php.net/ChangeLog-7.php#7.2.17
MFH: 2019Q2
Changelog:
Core:
Fixed bug #77589 (Core dump using parse_ini_string with numeric sections).
Fixed bug #77630 (rename() across the device may allow unwanted access during processing).
COM:
Fixed bug #77621 (Already defined constants are not properly reported).
EXIF:
Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF).
Fixed bug #77540 (Invalid Read on exif_process_SOFn).
Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE).
Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE).
PDO_OCI:
Support Oracle Database tracing attributes ACTION, MODULE, CLIENT_INFO, and CLIENT_IDENTIFIER.
PHAR:
Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename).
SPL:
Fixed bug #51068 (DirectoryIterator glob:// don't support current path relative queries).
Fixed bug #77431 (openFile() silently truncates after a null byte).
Standard:
Fixed bug #77552 (Unintialized php_stream_statbuf in stat functions).
MySQL:
Disabled LOCAL INFILE by default, can be enabled using php.ini directive mysqli.allow_local_infile for mysqli, or PDO::MYSQL_ATTR_LOCAL_INFILE attribute for pdo_mysql.
Changelog taken from: http://www.php.net/ChangeLog-7.php#7.2.16
MFH: 2019Q1
Changelog:
Core:
Fixed bug #77339 (__callStatic may get incorrect arguments).
Fixed bug #77494 (Disabling class causes segfault on member access).
Fixed bug #77530 (PHP crashes when parsing `(2)::class`).
Curl:
Fixed bug #76675 (Segfault with H2 server push).
GD:
Fixed bug #73281 (imagescale(…, IMG_BILINEAR_FIXED) can cause black border).
Fixed bug #73614 (gdImageFilledArc() doesn't properly draw pies).
Fixed bug #77272 (imagescale() may return image resource on failure).
Fixed bug #77391 (1bpp BMPs may fail to be loaded).
Fixed bug #77479 (imagewbmp() segfaults with very large images).
ldap:
Fixed bug #77440 (ldap_bind using ldaps or ldap_start_tls()=exception in libcrypto-1_1-x64.dll).
Mbstring:
Fixed bug #77454 (mb_scrub() silently truncates after a null byte).
MySQLnd:
Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has no external visibility).
Opcache:
Fixed bug #77361 (configure fails on 64-bit AIX when opcache enabled).
OpenSSL:
Fixed bug #77390 (feof might hang on TLS streams in case of fragmented TLS records).
PDO:
Fixed bug #77273 (array_walk_recursive corrupts value types leading to PDO failure).
Sockets:
Fixed bug #76839 (socket_recvfrom may return an invalid 'from' address on MacOS).
Standard:
Fixed bug #77395 (segfault about array_multisort).
Fixed bug #77439 (parse_str segfaults when inserting item into existing array).
Changelog taken from: http://www.php.net/ChangeLog-7.php#7.2.15
PR: 235575 235577
MFH: 2019Q1
If you only define a port to listen in www.conf, PHP defaults to listen
only to IPv6 ports on FreeBSD. On other OS it listens to IPv6 and IPv4.
Since upstream do not want to fix this [1], we add this special case to
the documentation.
Because the configuration file is a @sample it wont be updated for already
changed files. Therefore i do not bump PORTREVISION.
PR: 235141
Submitted by: Artyom Davidov <ard_1@mail.ru>
[1] https://bugs.php.net/bug.php?id=74166
Renaming the option to be inline with the already existing MYSQLND option
in the mysqli and pdo_mysqli ports.
Reported by: Jarrod Sayers <jarrod@downtools.com.au>
Currently PHP is always compiled with --enable-mysqlnd, to allow the use
of the native MySQL Native Driver. MySQL Native Driver is a replacement for the
MySQL Client Library.
While this is handy when working with MySQL there is no need for
it when MySQL is *not* used at all. This happens frequently when
working without databases or simply with other databases.
To avoid POLA the newly introduced option is a default option.
Disabling it will reduce the size of the package by ca. 175 KB,
which also helps in modern constraint VM run environments.
Submitted by: Reko Turja <reko.turja@liukuma.net>
Changelog:
Core:
Fixed bug #77369 (memcpy with negative length via crafted DNS response).
Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
COM:
Fixed bug #77177 (Serializing or unserializing COM objects crashes).
Date:
Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second).
Exif:
Fixed bug #77184 (Unsigned rational numbers are written out as signed rationals).
GD:
Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()).
Fixed bug #77198 (auto cropping has insufficient precision).
Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
IMAP:
Fixed bug #77020 (null pointer dereference in imap_mail).
Mbstring:
Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
Fixed bug #77381 (heap buffer overflow in multibyte match_at).
Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Fixed bug #77385 (buffer overflow in fetch_token).
Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code).
OCI8:
Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
Added oci_set_call_timeout() for call timeouts.
Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
Opcache:
Fixed bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
PDO:
Handle invalid index passed to PDOStatement::fetchColumn() as error.
Phar:
Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Sockets:
Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
SQLite3:
Fixed bug #77051 (Issue with re-binding on SQLite3).
Xmlrpc:
Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()).
Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code).
Changelog taken from: http://www.php.net/ChangeLog-7.php#7.2.14
MFH: 2019Q1
Unbreak this Port on mips64 and powerpc64
PR: 231462 232160
Reported by: Piotr Kubaj <pkubaj@anongoth.pl>
Approved by: tz (implicit)
Sponsored by: Netzkommune GmbH
Notable changes:
- Switch from PCRE to PCRE2
- Many modules now require PCRE2 for building
- graphics/php73-gd: X11 option is no longer default
Changes to Mk/Uses/php.mk approved by ale
This port links some non-PIC code, which fails with lld as it defaults
to disallowing relocations against read-only segments. For i386 we can
just add -znotext unconditionally: for GNU BFD ld it just affirms BFD's
existing default.
PR: 214864, 230207
Approved by: bapt
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17193
Currently the gd-module uses a bundled libgd, while most systems
already provide the same library via graphics/gd.
Therefore instead of adding the bundled library we use the
port instead.
PR: 217222
Submitted by: Mikhail Teterin <mi@FreeBSD.org>
Changelog: http://www.php.net/ChangeLog-7.php#7.2.8
Also patch out MySQL 8 auth changes, which makes the hash
extension mandatory instead of optional and introduce further
bugs:
d6e81f0bfd
MFH: 2018Q3
