Processed: Re: Bug#1126796: trixie-pu: package phpunit/11.5.19-1+deb13u1

2026-02-28 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1126796 [release.debian.org] trixie-pu: package phpunit/11.5.19-1+deb13u1
Added tag(s) confirmed.

-- 
1126796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126796
Debian Bug Tracking System
Contact [email protected] with problems

Bug#1126796: trixie-pu: package phpunit/11.5.19-1+deb13u1

2026-02-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2026-02-01 at 16:15 +0100, David Prévot wrote:
> As agreed with the security team, I’d like to get CVE-2026-24765
> fixed
> via a point release.

Please go ahead.

Regards,

Adam

Bug#1126796: trixie-pu: package phpunit/11.5.19-1+deb13u1

2026-02-01 Thread David Prévot 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:phpunit
User: [email protected]
Usertags: pu

Hi,

As agreed with the security team, I’d like to get CVE-2026-24765 fixed
via a point release.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance for considering.

Regards,

taffit
diff -Nru phpunit-11.5.19/debian/changelog phpunit-11.5.19/debian/changelog
--- phpunit-11.5.19/debian/changelog	2025-05-03 07:36:49.0 +0200
+++ phpunit-11.5.19/debian/changelog	2026-01-29 06:09:18.0 +0100
@@ -1,3 +1,11 @@
+phpunit (11.5.19-1+deb13u1) trixie; urgency=medium
+
+  * Track debian/trixie
+  * Fix Unsafe Deserialization in PHPT Code Coverage Handling [CVE-2026-24765]
+  * Workaround empty file not added by patch
+
+ -- David Prévot   Thu, 29 Jan 2026 06:09:18 +0100
+
 phpunit (11.5.19-1) unstable; urgency=medium
 
   [ Sebastian Bergmann ]
diff -Nru phpunit-11.5.19/debian/clean phpunit-11.5.19/debian/clean
--- phpunit-11.5.19/debian/clean	2025-05-03 07:35:48.0 +0200
+++ phpunit-11.5.19/debian/clean	2026-01-29 06:09:18.0 +0100
@@ -7,6 +7,7 @@
 tests/_files/.phpunit.result.cache
 tests/_files/*/.phpunit.result.cache
 tests/basic/.phpunit.result.cache
+tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
 tests/end-to-end/force-covers-annotation/.phpunit.result.cache
 tests/end-to-end/*/*/.phpunit.result.cache
 tests/end-to-end/regression/GitHub/*/.phpunit.result.cache
diff -Nru phpunit-11.5.19/debian/control phpunit-11.5.19/debian/control
--- phpunit-11.5.19/debian/control	2025-05-03 07:35:48.0 +0200
+++ phpunit-11.5.19/debian/control	2026-01-29 06:09:18.0 +0100
@@ -27,7 +27,7 @@
phpunit-type (>= 5)
 Standards-Version: 4.7.2
 Rules-Requires-Root: no
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/11
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/trixie
 Vcs-Browser: https://salsa.debian.org/php-team/pear/phpunit
 Homepage: https://phpunit.de/
 
diff -Nru phpunit-11.5.19/debian/gbp.conf phpunit-11.5.19/debian/gbp.conf
--- phpunit-11.5.19/debian/gbp.conf	2025-05-03 07:35:48.0 +0200
+++ phpunit-11.5.19/debian/gbp.conf	2026-01-29 06:09:18.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/11
+debian-branch = debian/trixie
 filter = [ '.gitattributes', 'tools' ]
 pristine-tar = True
 upstream-branch = upstream-11
diff -Nru phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch
--- phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch	1970-01-01 01:00:00.0 +0100
+++ phpunit-11.5.19/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch	2026-01-29 06:09:18.0 +0100
@@ -0,0 +1,158 @@
+From: Sebastian Bergmann 
+Date: Mon, 26 Jan 2026 17:37:32 +0100
+Subject: Do not run PHPT test when its temporary file for code coverage
+ information exists
+
+Origin: backport, https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda
+Bug: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-24765
+---
+ .../Exception/CodeCoverageFileExistsException.php  | 21 +++
+ src/Runner/PHPT/PhptTestCase.php   | 31 +-
+ .../_files/phpt-coverage-file-exists/test.coverage |  0
+ .../_files/phpt-coverage-file-exists/test.phpt |  7 +
+ .../end-to-end/phpt/phpt-coverage-file-exists.phpt | 21 +++
+ 5 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 src/Runner/Exception/CodeCoverageFileExistsException.php
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+ create mode 100644 tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+
+diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php
+new file mode 100644
+index 000..3ffde5b
+--- /dev/null
 b/src/Runner/Exception/CodeCoverageFileExistsException.php
+@@ -0,0 +1,21 @@
++
++ *
++ * For the full copyright and license information, please view the LICENSE
++ * file that was distributed with this source code.
++ */
++namespace PHPUnit\Runner;
++
++use RuntimeException;
++
++/**
++ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit
++ *
++ * @internal This class is not covered by the backward compatibility promise for PHPUni