1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-07-15 20:25:17 +03:00
aports/testing/php8/APKBUILD
Andy Postnikov f8c41b8adc testing/php8: security upgrade to 8.0.28
- CVE-2023-0567
- CVE-2023-0568
- CVE-2023-0662
2023-02-14 17:05:15 +01:00

665 lines
18 KiB
Text

# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Andy Postnikov <apostnikov@gmail.com>
# Bundled libraries
#
# Name | License | Location | State
# ----------+---------------------+------------------------+---------
# bcmath | LGPL-2.1-or-later | ext/bcmath/libbcmath | used
# date | MIT | ext/date/lib | used
# fileinfo | BSD-2-Clause | ext/fileinfo/libmagic | used
# gd | BSD | ext/gd/libgd | used
# hash | CC0-1.0 | ext/hash/sha3 | used
# libmbfl | LGPL-2.1-only | ext/mbstring/libmbfl | used
# pcre | BSD-3-Clause | ext/pcre/pcrelib | not used
# sqlite3 | Public | ext/sqlite3/libsqlite | not used
# libzip | BSD-3-Clause | ext/zip/lib | not used
# Static extensions
#
# Name | Reason
# ----------+--------------------------------------------
# zlib | https://bugs.alpinelinux.org/issues/8299
# json | https://wiki.php.net/rfc/always_enable_json
pkgname=php8
_pkgreal=php
pkgver=8.0.28
pkgrel=0
_apiver=20200930
_suffix=${pkgname#php}
# Is this package the default (latest) PHP version?
_default_php="no"
provides="$pkgname-cli php-cli php" # for backward compatibility
# priority of community/php81 is 100
provider_priority=10
pkgdesc="The PHP$_suffix language runtime engine"
url="https://www.php.net/"
arch="all"
license="PHP-3.01 BSD-3-Clause LGPL-2.0-or-later MIT Zend-2.0"
depends="$pkgname-common"
depends_dev="$pkgname=$pkgver-r$pkgrel autoconf pcre2-dev re2c"
# Most dependencies between extensions is auto-discovered (see _extension()).
_depends_mysqlnd="$pkgname-openssl"
_depends_pdo_mysql="$pkgname-pdo $pkgname-mysqlnd"
_depends_phar="$pkgname"
# openssl is actually transitive dependency here, but we need to because of
# load index based on number of dependencies.
_depends_mysqli="$pkgname-mysqlnd $pkgname-openssl"
makedepends="
$depends_dev
acl-dev
apache2-dev
argon2-dev
aspell-dev
bison
bzip2-dev
curl-dev
enchant2-dev
freetds-dev
freetype-dev
gdbm-dev
gettext-dev
gmp-dev
icu-dev
imap-dev
krb5-dev
libedit-dev
libical-dev
libjpeg-turbo-dev
libpng-dev
libpq-dev
lmdb-dev
oniguruma-dev
libsodium-dev
libwebp-dev
libxml2-dev
libxpm-dev
libxslt-dev
libzip-dev
net-snmp-dev
openldap-dev
openssl-dev>3
patchelf
sqlite-dev
tidyhtml-dev
unixodbc-dev
zlib-dev
"
checkdepends="icu-data-full"
subpackages="$pkgname-dev $pkgname-doc
$pkgname-phpdbg $pkgname-apache2
$pkgname-embed $pkgname-cgi $pkgname-fpm
$pkgname-pear::noarch
"
source="https://php.net/distributions/$_pkgreal-$pkgver.tar.xz
$pkgname-fpm.initd
$pkgname-fpm.logrotate
$pkgname-module.conf
disabled-tests.list
install-pear.patch
includedir.patch
sharedir.patch
$pkgname-fpm-version-suffix.patch
fix-tests-devserver.patch
xfail-openssl-1.1-test.patch
openssl3.patch
fix-tests-spki-openssl3.patch
fix-tests-openssl3-1.patch
fix-tests-openssl3-2.patch
fix-tests-openssl3-3.patch
fix-icu72.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
_libdir="/usr/lib/$pkgname"
_extension_dir="$_libdir/modules"
_extension_confd="/etc/$pkgname/conf.d"
_extensions="
bcmath
bz2
calendar
ctype
curl
dba
dom
enchant
exif
ffi
fileinfo
ftp
gd
gettext
gmp
iconv
imap
intl
ldap
mbstring
mysqli
mysqlnd
odbc
opcache
openssl
pcntl
pdo
pdo_dblib
pdo_mysql
pdo_odbc
pdo_pgsql
pdo_sqlite
pgsql
phar
posix
pspell
session
shmop
simplexml
snmp
soap
sodium
sockets
sqlite3
sysvmsg
sysvsem
sysvshm
tidy
tokenizer
xml
xmlreader
xmlwriter
xsl
zip
"
for _ext in $_extensions; do
case "$_ext" in
phar) subpackages="$subpackages $pkgname-$_ext:$_ext";;
*) subpackages="$subpackages $pkgname-$_ext:_extension";;
esac
done
subpackages="$subpackages $pkgname-common::noarch"
subpackages="$subpackages $pkgname-litespeed"
# secfixes:
# 8.0.28-r0:
# - CVE-2023-0567
# - CVE-2023-0568
# - CVE-2023-0662
# 8.0.27-r0:
# - CVE-2022-31631
# 8.0.25-r0:
# - CVE-2022-31630
# - CVE-2022-37454
# 8.0.24-r0:
# - CVE-2022-31628
# - CVE-2022-31629
# 8.0.19-r2:
# - CVE-2022-31625
# - CVE-2022-31626
# 8.0.13-r0:
# - CVE-2021-21707
# 8.0.12-r0:
# - CVE-2021-21703
# 8.0.11-r0:
# - CVE-2021-21706
# 8.0.8-r0:
# - CVE-2021-21705
# 8.0.2-r0:
# - CVE-2021-21702
prepare() {
default_prepare
local vapi=$(sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h)
if [ "$vapi" != "$_apiver" ]; then
error "Upstream API version is now $vapi. Expecting $_apiver"
error "After updating _apiver, all 3rd-party extensions must be rebuilt."
return 1
fi
# https://bugs.php.net/63362 - Not needed but installed headers.
# Drop some Windows specific headers to avoid installation,
# before build to ensure they are really not needed.
rm -f TSRM/tsrm_win32.h \
TSRM/tsrm_config.w32.h \
Zend/zend_config.w32.h \
ext/mysqlnd/config-win.h \
ext/standard/winver.h
# Fix some bogus permissions.
find . -name '*.[ch]' -exec chmod 644 {} \;
# XXX: Delete failing tests.
sed -n '/^[^#]/p' "$srcdir"/disabled-tests.list | while read -r item; do
rm -r $item # do it in this way to apply globbing...
done
autoconf
}
# Notes:
# * gd-jis-conv breaks any non-latin font rendering (vakartel).
# * libxml cannot be build as shared.
# * -O2 optimize for apps usage (andypost)
_build() {
export CFLAGS="${CFLAGS/-Os/-O2}"
export CXXFLAGS="${CXXFLAGS/-Os/-O2}"
local without_pcre_jit
[ "$CARCH" = "s390x" ] && without_pcre_jit="--without-pcre-jit"
EXTENSION_DIR=$_extension_dir ./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--program-suffix=$_suffix \
--libdir=$_libdir \
--datadir=/usr/share/$pkgname \
--sysconfdir=/etc/$pkgname \
--localstatedir=/var \
--with-layout=GNU \
--with-pic \
--with-config-file-path=/etc/$pkgname \
--with-config-file-scan-dir=$_extension_confd \
--disable-short-tags \
\
--enable-bcmath=shared \
--with-bz2=shared \
--enable-calendar=shared \
--enable-ctype=shared \
--with-curl=shared \
--enable-dba=shared \
--with-dbmaker=shared \
--with-gdbm \
--with-lmdb \
--enable-dom=shared \
--with-enchant=shared \
--enable-exif=shared \
--with-ffi=shared \
--enable-fileinfo=shared \
--enable-ftp=shared \
--enable-gd=shared \
--with-freetype \
--with-jpeg \
--with-webp \
--with-xpm \
--disable-gd-jis-conv \
--with-gettext=shared \
--with-gmp=shared \
--with-iconv=shared \
--with-imap=shared \
--with-imap-ssl \
--enable-intl=shared \
--with-ldap=shared \
--with-ldap-sasl \
--with-libedit \
--with-libxml \
--enable-mbstring=shared \
--with-mysqli=shared,mysqlnd \
--with-mysql-sock=/run/mysqld/mysqld.sock \
--enable-mysqlnd=shared \
--enable-opcache=shared \
--with-openssl=shared \
--with-kerberos \
--with-system-ciphers \
--with-password-argon2 \
--enable-pcntl=shared \
--with-external-pcre \
$without_pcre_jit \
--enable-pdo=shared \
--with-pdo-dblib=shared,/usr \
--with-pdo-mysql=shared,mysqlnd \
--with-pdo-odbc=shared,unixODBC,/usr \
--with-pdo-pgsql=shared \
--with-pdo-sqlite=shared \
--with-pgsql=shared \
--enable-phar=shared \
--enable-posix=shared \
--with-pspell=shared \
--without-readline \
--enable-session=shared \
--enable-shmop=shared \
--enable-simplexml=shared \
--with-snmp=shared \
--enable-soap=shared \
--with-sodium=shared \
--enable-sockets=shared \
--with-sqlite3=shared \
--enable-sysvmsg=shared \
--enable-sysvsem=shared \
--enable-sysvshm=shared \
--with-tidy=shared \
--enable-tokenizer=shared \
--with-unixODBC=shared,/usr \
--enable-xml=shared \
--enable-xmlreader=shared \
--enable-xmlwriter=shared \
--with-xsl=shared \
--with-zip=shared \
--with-zlib \
"$@"
make
}
build() {
# build phpcgi and apache2 SAPIs first
# because not fixed https://bugs.php.net/bug.php?id=52419
# apache2 module
_build --disable-phpdbg \
--disable-cli \
--with-apxs2
mv libs/libphp.so sapi/apache2handler/mod_php$_suffix.so
local enable_litespeed
[ -z ${subpackages##*-litespeed*} ] && enable_litespeed=--enable-litespeed
# cgi, cli, fpm, embed, phpdbg, pear/pecl, litespeed
_build --enable-phpdbg \
--with-pear=/usr/share/$pkgname \
--enable-fpm \
--with-fpm-acl \
$enable_litespeed \
--enable-embed
}
check() {
# PHP is so stupid that it's not able to resolve dependencies
# between extensions and load them in correct order, so we must
# help it...
# opcache is Zend extension, it's handled specially in Makefile
local php_modules=$(_extensions_by_load_order \
| grep -vx opcache \
| xargs -n 1 printf "'$builddir/modules/%s.la' ")
sed -i "/^PHP_TEST_SHARED_EXTENSIONS/,/extension=/ \
s|in \$(PHP_MODULES)\"*|in $php_modules|" Makefile
# XXX: Few tests fail on the named platforms.
# Ignore it for now and continue build even on test failures.
local allow_fail='no'
case "$CARCH" in
x86 | s390x ) allow_fail='yes'
esac
TESTS="${TESTS:- --show-diff}" NO_INTERACTION=1 REPORT_EXIT_STATUS=1 \
SKIP_SLOW_TESTS=1 SKIP_ONLINE_TESTS=1 TEST_TIMEOUT=10 \
TZ='' LANG='' LC_ALL='' TEST_FPM_EXTENSION_DIR=modules \
TRAVIS=true SKIP_IO_CAPTURE_TESTS=1 \
make test || [ "$allow_fail" = yes ]
echo 'NOTE: We have skipped quite a lot tests, see disabled-tests.list.'
}
package() {
make -j1 INSTALL_ROOT="$pkgdir" install
install -Dm644 php.ini-production "$pkgdir"/etc/$pkgname/php.ini
local file; for file in pear peardev pecl; do
sed -i -e "s|/usr/bin/php|/usr/bin/php$_suffix|g" \
-e "s|PHP=php|PHP=php$_suffix|" \
"$pkgdir"/usr/bin/$file
done
find "$pkgdir" -name '.*' -print0 | xargs -0 rm -rf
rmdir "$pkgdir"/var/run
if [ "$_default_php" = yes ]; then
ln -s php$_suffix "$pkgdir"/usr/bin/php
fi
}
dev() {
default_dev
replaces="php-dev"
depends="$depends"
cd "$pkgdir"
_mv usr/bin/php-config$_suffix \
usr/bin/phpize$_suffix \
"$subpkgdir"/usr/bin/
_mv ./$_libdir/build "$subpkgdir"/$_libdir/
if [ "$_default_php" = yes ]; then
ln -s phpize$_suffix "$subpkgdir"/usr/bin/phpize
ln -s php-config$_suffix "$subpkgdir"/usr/bin/php-config
fi
}
doc() {
default_doc
cd "$builddir"
mkdir -p "$subpkgdir"/usr/share/doc/$pkgname
cp CODING_STANDARDS.md EXTENSIONS LICENSE NEWS \
README* UPGRADING* \
"$subpkgdir"/usr/share/doc/$pkgname/
}
apache2() {
pkgdesc="PHP$_suffix Module for Apache2"
depends="$depends apache2"
provides="php-apache2"
install -D -m 755 "$builddir"/sapi/apache2handler/mod_php$_suffix.so \
"$subpkgdir"/usr/lib/apache2/mod_php$_suffix.so
install -D -m 644 "$srcdir"/php$_suffix-module.conf \
"$subpkgdir"/etc/apache2/conf.d/php$_suffix-module.conf
}
phpdbg() {
pkgdesc="Interactive PHP$_suffix debugger"
provides="php-phpdbg"
amove usr/bin/phpdbg$_suffix
if [ "$_default_php" = yes ]; then
ln -s phpdbg$_suffix "$subpkgdir"/usr/bin/phpdbg
fi
}
embed() {
pkgdesc="PHP$_suffix Embedded Library"
provides="php-embed"
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/libphp.so "$subpkgdir"/usr/lib/libphp$_suffix.so
# we do this so it matches the name, otherwise SONAME libphp.so conflicts
patchelf --set-soname libphp$_suffix.so "$subpkgdir"/usr/lib/libphp$_suffix.so
}
litespeed() {
pkgdesc="PHP$_suffix LiteSpeed SAPI"
provides="php-lightspeed"
mkdir -p "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/lsphp$_suffix "$subpkgdir"/usr/bin
if [ "$_default_php" = yes ]; then
ln -s lsphp$_suffix "$subpkgdir"/usr/bin/lsphp
fi
}
cgi() {
pkgdesc="PHP$_suffix Common Gateway Interface"
provides="php-cgi"
_mv "$pkgdir"/usr/bin/php-cgi$_suffix "$subpkgdir"/usr/bin/
if [ "$_default_php" = yes ]; then
ln -s php-cgi$_suffix "$subpkgdir"/usr/bin/php-cgi
fi
}
fpm() {
pkgdesc="PHP$_suffix FastCGI Process Manager"
provides="php-fpm"
cd "$pkgdir"
_mv var "$subpkgdir"/
_mv usr/share/$pkgname/fpm "$subpkgdir"/var/lib/$pkgname/
_mv usr/sbin "$subpkgdir"/usr/
_mv etc/$pkgname/php-fpm* "$subpkgdir"/etc/$pkgname/
local file; for file in php-fpm.conf php-fpm.d/www.conf; do
mv "$subpkgdir"/etc/$pkgname/$file.default \
"$subpkgdir"/etc/$pkgname/$file
done
install -D -m 755 "$srcdir"/$pkgname-fpm.initd \
"$subpkgdir"/etc/init.d/php-fpm$_suffix
install -D -m 644 "$srcdir"/$pkgname-fpm.logrotate \
"$subpkgdir"/etc/logrotate.d/php-fpm$_suffix
mkdir -p "$subpkgdir"/var/log/$pkgname
}
pear() {
pkgdesc="PHP$_suffix Extension and Application Repository"
depends="$pkgname $pkgname-xml"
provides="php-pear"
cd "$pkgdir"
mkdir -p "$subpkgdir"/usr/bin
local file; for file in pecl pear peardev; do
mv usr/bin/$file "$subpkgdir"/usr/bin/$file$_suffix
if [ "$_default_php" = yes ]; then
ln -s $file$_suffix "$subpkgdir"/usr/bin/$file
fi
done
_mv etc/$pkgname/pear.conf "$subpkgdir"/etc/$pkgname/
_mv usr/share "$subpkgdir"/usr/
}
common() {
pkgdesc="$pkgdesc (common config)"
provides="php-common $pkgname-zlib php-zlib $pkgname-json php-json" # for backward compatibility
depends=""
cd "$pkgdir"
_mv usr/lib "$subpkgdir"/usr/
_mv etc "$subpkgdir"/
mkdir -p "$subpkgdir"/$_extension_confd
}
phar() {
_extension
cd "$pkgdir"
mkdir -p "$subpkgdir"/usr/bin
mv usr/bin/phar$_suffix.phar "$subpkgdir"/usr/bin/phar.phar$_suffix
rm usr/bin/phar$_suffix
ln -s phar.phar$_suffix "$subpkgdir"/usr/bin/phar$_suffix
if [ "$_default_php" = yes ]; then
ln -s phar.phar$_suffix "$subpkgdir"/usr/bin/phar.phar
ln -s phar.phar$_suffix "$subpkgdir"/usr/bin/phar
fi
}
_extension() {
local extname="${subpkgname#$pkgname-}"
local extdepends="$(eval "echo \$_depends_$extname")"
local extdesc="$(head -n1 "$builddir"/ext/$extname/CREDITS 2>/dev/null ||:)"
pkgdesc="PHP$_suffix extension: ${extdesc:-$extname}"
provides="php-$extname"
: ${extdepends:=$(_resolve_extension_deps "$extname")}
depends="$depends $extdepends"
local load_order=$(_extension_load_order "$extname")
# extension prefix
local prefix=
[ "$extname" != "opcache" ] || prefix="zend_"
_mv "$pkgdir"/$_extension_dir/$extname.so \
"$subpkgdir"/$_extension_dir/
mkdir -p "$subpkgdir"/$_extension_confd
echo "${prefix}extension=$extname" \
> "$subpkgdir"/$_extension_confd/"$(printf %02d $load_order)"_$extname.ini
}
# Resolves dependencies of the given extension name (without $pkgname- prefix)
# on other extensions in $_extensions and prints them with $pkgname- prefix.
_resolve_extension_deps() {
local name="$1"
# We use config.w32 just because it's more accurate than config.m4.
local config="$builddir/ext/$name/config.w32"
[ -f "$config" ] || return 0
cat "$config" \
| sed -En "s/.*ADD_EXTENSION_DEP\('$name', ([^)]+)\).*/\1/p" \
| tr -d "'," | tr ' ' '\n' \
| sort -u \
| while read -r dep; do
if echo "$_extensions" | grep -qw "$dep"; then
echo "$pkgname-$dep"
fi
done
}
# Prints a load order (0-based integer) for the given extension name. Extension
# with lower load order should be loaded before exts with higher load order.
# It's based on number of dependencies of the extension (with exception for
# "imap"), which is flawed, but simple and good enough for now.
_extension_load_order() {
local name="$1"
local deps=$(eval "echo \$_depends_$name")
case "$name" in
# XXX: This must be loaded after recode, even though it does
# not depend on it. So we must use this hack...
*) echo "${deps:=$(_resolve_extension_deps $name)}" | wc -w;;
esac
}
# Prints $_extensions sorted by load order and name.
_extensions_by_load_order() {
local deps list name
for name in $_extensions; do
list="$list $(_extension_load_order $name);$name"
done
printf '%s\n' $list | sort -t ';' -k 1 | sed -E 's/\d+;//'
}
_mv() {
local dest; for dest; do true; done # get last argument
mkdir -p "$dest"
mv "$@"
}
sha512sums="
d66e41cdccc332fccaf03bb24356652b17be5267cba5a47d80f1b74732b674f6a23c91e4a151ca442e629de8e8bcf6daecf0b34cbcbc9e33f53b8da9f06dc6b9 php-8.0.28.tar.xz
8a9a63cddfd9bdde23db85a7be0711e14688bab35b580abd0184d370c54de80b72cbdeb369570cd23927154984f024eaad5d222d53d9e19130fb2e8758dd4540 php8-fpm.initd
cd3a96d3febde3b6657ed80ff58945641443e84e5e0fd3d9df29e640e9549bc452a3412f1999fa02ae1ee2b64c08040998fa75805f67e0252741c376e26e1c3c php8-fpm.logrotate
95f536addfbb28fbca8b14da46d95a3595369d6e98d345f55f0fda1b12bdefd1579a27505424e7d1088a987d330798253cec9bd42b544bb567189cba746217c7 php8-module.conf
6a9758c279b9755d3de99e2e8428b195a0568aad57131a4c232634243aeab5fb5da1d3ba4b657802b1ce5a7ae77a858d3e6ca2a1036e5a084ac8bdaf41745b3b disabled-tests.list
ec206639d076ddac6c2d1db697a5428ed3be979157db39417af7fbe6ab837e8dc00315ae0e55aea4f92f45ca5827c88cc4933099fad9c962f029ca81bef779d7 install-pear.patch
79f919ca110530cac2f1ed1e7a86e2c396c25022f00501b520b6bd2efa8eefd962df4ad25235b8a37d8a30d67d257baaf9dfb4041891206a5b15a9c895f1797d includedir.patch
b5d7e87df4f45171a185aec1d4cf96157b3c6b9ea9625237e31b0756220a12a64c260cc20c38bfb0146f11fca25c9c25be1981a922ecb14de5cc2965d29d8fe3 sharedir.patch
f634ac591576dff87487d239578420364edb56e977535c4a5ab799d360a799179edf1e7e6a4e6b6e5b4f58e267dbf913ed77bde140ad8425e6df4093bfa69e70 php8-fpm-version-suffix.patch
1b64a7cef9e81387f955cb60ffa4e3d2277b4f6072e9328d779c0d447c202c8ee9dff0d8d8c34abc82c150311f51c4e9316a3b72a383ca6c9a6e683bc5b349a0 fix-tests-devserver.patch
996b9a542858b0385a300265194afc57eddb72b9d7e4dcdf63b4f1ba7d3588e67309030acc73f00af1717168becd50b1d3582fcb88605e9892fd683a33cae023 xfail-openssl-1.1-test.patch
6520df6c5339d29aded942c89b0d0424a521d6b4248526b0f63f54194be05992e49b46688615d032c28ce57f484b6defc085da33239d460f67f88dc10c7a4fba openssl3.patch
fafebc840a4c8451e0a7844caa64f5d4a19410a1a9572df1b7fc1a35b881aa4a30c3e364c83a4d44410f930a39db67696cc228b761483ec20426aa7c0979afa9 fix-tests-spki-openssl3.patch
795f23dd58746e2c2afbe27bfa722eb7fab0b26a17bb10d6f41593abf278575c7278108256c870235bdd552d69685b14b00b66c86819f8330cc7f9532eddb175 fix-tests-openssl3-1.patch
c4418ca451e60da1e00195738f06d8ddbc9ba6d10530fd1b9e4c9828bf8824f412c27b2af73b4905223cbf657821eb79c4433e16414c48adeebaa3796600e9b0 fix-tests-openssl3-2.patch
2e2cc726ebed5dde0237d7d5711072d601e59d25b2ee0351fe3a615f0c11c7756aa23e38c97d3c3f7c6dbe97696202a8609c777768be4e7b2fd126db6cf43436 fix-tests-openssl3-3.patch
706498ba14ef2657dbc40136c45382578c79b4ed31f1f313dfcf8e34ce0e59761a952ec1d2ec0ecdc07af50c2220600fd615da4bfe9d3778ab8066dad54b6660 fix-icu72.patch
"