Hi Cyril, Le 30/06/2017 à 14:36, Cyril Brulebois a écrit : > Control: retitle -1 stretch-pu: package phpunit/5.4.6-2~deb9u1 > Control: tag -1 moreinfo
> David Prévot <taf...@debian.org> (2017-06-28): >> Please, allow this patched version of phpunit, built and tested in a >> Stretch environment, fixing an arbitrary PHP code execution via HTTP >> POST [CVE-2017-9841], aka #866200. > Stretch is Debian 9. :) Ooops, things are moving so quickly… > Please post an updated source debdiff with the proper version number for > a last look before an ACK for the upload. Attached (with package rebuilt, and tested again), thanks! Regards David
diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog --- phpunit-5.4.6/debian/changelog 2016-06-18 12:34:11.000000000 -1000 +++ phpunit-5.4.6/debian/changelog 2017-06-28 17:03:35.000000000 -1000 @@ -1,3 +1,18 @@ +phpunit (5.4.6-2~deb9u1) stretch; urgency=high + + * Team upload + * Upload previous fix to Stretch + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 17:03:35 -1000 + +phpunit (5.4.6-2) unstable; urgency=high + + * Team upload + * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] + (Closes: #866200) + + -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 16:43:26 -1000 + phpunit (5.4.6-1) unstable; urgency=medium * Team upload diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch --- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 1969-12-31 14:00:00.000000000 -1000 +++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 2017-06-28 16:41:16.000000000 -1000 @@ -0,0 +1,34 @@ +From: Bob Weinand <bobw...@hotmail.com> +Date: Sun, 13 Nov 2016 18:52:50 +0100 +Subject: Correct fix for #1956 + +Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 +Bug: https://github.com/sebastianbergmann/phpunit/pull/2356 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 +--- + src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +- + src/Util/PHP/eval-stdin.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +index 47ef6e4..c7172b9 100644 +--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist ++++ b/src/Util/PHP/Template/TestCaseMethod.tpl.dist +@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test() + $output = $test->getActualOutput(); + } + +- rewind(STDOUT); ++ @rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */ + if ($stdout = stream_get_contents(STDOUT)) { + $output = $stdout . $output; + } +diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php +index fe1b8bd..3b3a6d0 100644 +--- a/src/Util/PHP/eval-stdin.php ++++ b/src/Util/PHP/eval-stdin.php +@@ -1,3 +1,3 @@ + <?php + +-eval('?>' . file_get_contents('php://input')); ++eval('?>' . file_get_contents('php://stdin')); diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series --- phpunit-5.4.6/debian/patches/series 2016-06-18 12:15:55.000000000 -1000 +++ phpunit-5.4.6/debian/patches/series 2017-06-28 16:41:16.000000000 -1000 @@ -1 +1,2 @@ 0001-Remove-Composer-autoload.patch +0002-Correct-fix-for-1956.patch
signature.asc
Description: OpenPGP digital signature