Ubuntu
php5 package

[MIR] php5-common is missing dependency on php5-json

Bug #1242726 reported by haggi
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
php-json (Ubuntu)
Fix Released
High
Unassigned
php5 (Ubuntu)
Fix Released
High
Unassigned
pkg-php-tools (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

MIR for php-json:

[Availability]

Available in universe; successfully built on all architectures.

[Rationale]

Useful functionality for a large proportion of php users; JSON support is
pretty essential for many web services nowadays.

New dependency of php5 (see background information below)

[Security]

JSON parsing is security sensitive; particular in web applications for which
PHP is often used. This package is a wrapper around json-c which is in main
already. We do need to make sure that the wrapper is not vulnerable, but the
JSON parsing itself is already covered by json-c in main.

No other relevant security history. CVE-2009-1271 appears to refer to the JSON
module bundled with PHP and not this alternative implementation.

No suid or sgid binaries. No executables in /sbin or /usr/sbin. No daemons. No
use of privileged ports.

This is an add-on to PHP and an expected use (parsing untrusted input) is
security sensitive.

[QA]

Works with no further configuration or documentation.

No debconf questions.

No long-term outstanding bugs upstream. The only bug in Debian appears to
relate to a edge case difference in error handling behaviour, which I'm not
sure is a bug at all. No relevant bugs in Ubuntu.

Outstanding Lintian bugs all refer to PHP packaging issues; this package is
maintained by the PHP maintainer in Debian.

No exotic hardware.

Test suite is run during package build using dh_auto_test which fails on test
suite failure.

No watch file.

[Dependencies]

All in main, including libjson-c-dev.

[Standards compliance]

Packaging uses debhelper 9, standard phpize and dh-php5.

[Maintenance]

This is a straightforward wrapper around json-c. Except to trivially keep
synced with Debian.

The Ubuntu Server team will subscribe to the package.

[Background Information]

The JSON module bundled by PHP upstream is not DFSG compliant due to a problem
with a licence term. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692613 for details. So Debian
does not ship with the embedded JSON module, but instead ships php-json
(binary: phphp5-json) which is an independent implementation, and php depends
on it.

For parity with Debian and common use of PHP, we should have php-json in main.
Otherwise we cannot depend on php5-json, and so JSON functionality in PHP will
be broken by default.

[Original Description]

After the upgrade to saucy the function json_encode is missing from the current version of php5.

It should be always there on PHP versions >= 5.2.0 (not a pecl module anymore) [1]

to reproduce:
---
user@vm:~$ echo '<?php json_encode(true);' | php
PHP Fatal error: Call to undefined function json_encode() in - on line 1
PHP Stack trace:
PHP 1. {main}() -:0
user@vm:~$ php -v
PHP 5.5.3-1ubuntu2 (cli) (built: Oct 9 2013 14:49:12)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.3, Copyright (c) 2002-2013, by Derick Rethans
---

[1] http://php.net/manual/en/function.json-encode.php

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: php5 (not installed)
ProcVersionSignature: Ubuntu 3.11.0-12.19-generic 3.11.3
Uname: Linux 3.11.0-12-generic x86_64
ApportVersion: 2.12.5-0ubuntu2
Architecture: amd64
Date: Mon Oct 21 16:30:04 2013
InstallationDate: Installed on 2013-06-03 (140 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
MarkForUpload: True
SourcePackage: php5
UpgradeStatus: Upgraded to saucy on 2013-10-21 (0 days ago)

See original description

CVE References

Revision history for this message
haggi (jpicht85) wrote :
Revision history for this message
haggi (jpicht85) wrote :

adding php info

Revision history for this message
Ondřej Surý (ondrej) wrote :

It's not missing, it has been split to php5-json package due the licensing reasons.

The fix is to install php5-json package:

sudo apt-get install php5-json

summary: - json_encode php function missing
+ php5-common is missing dependency on php5-json
Revision history for this message
Ondřej Surý (ondrej) wrote : Re: php5-common is missing dependency on php5-json

To Ubuntu maintainers - cherry-pick c3d4814177.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

I was unaware of the licensing problem and swap-out of PHP's json module when I merged PHP last during Saucy development. I had assumed that it would be treated by PHP developers as an add-on without the expectation that it would be available by default. I now understand that this may not be the case, and that PHP developers expect a json module to be available by default.

Since php5-json is a separate package, it has ended up in universe in Ubuntu. So we cannot simply depend on it or recommend it from php5-common since php5-common is in main.

As a workaround, users can still install php5-json from universe, though being in universe it is community supported only (eg. for security updates).

I suppose that we need to pull php5-json (source: php-json) into main, or if we cannot then we must conclude that we're going to require users and developers to explicitly install php5-json from universe if they want it.

Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Robie Basak (racb) wrote :

This needs:

For Trusty:

An MIR approved for php-json.
An upload for php5-common to depend on php-json in Trusty.
Move php-json to main in Trusty.

For Saucy:

Agreement from the SRU team to move php-json to main in Saucy.
An upload for php5-common to depend on php-json in Saucy.
Move php-json to main in Saucy.

description: updated
summary: - php5-common is missing dependency on php5-json
+ [MIR] php5-common is missing dependency on php5-json
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php-json (Ubuntu):
status: New → Confirmed
Robie Basak (racb)
Changed in php-json (Ubuntu):
importance: Undecided → High
Revision history for this message
Michael Terry (mterry) wrote :

Assigning to Jamie, so he can tell me whether this needs a security review. It just wraps the C API, but maybe there are unique considerations here.

Changed in php-json (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in php-json (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed php-json version 1.3.2-2 as checked into trusty. This should
not be considered a full security audit, but rather a quick gauge of
maintainability.

One of the dependencies of php-json is in universe, pkg-php-tools, not
main. pkg-php-tools needs to be addressed before php-json can be promoted.

- php-json provides a json parser for use in php programs
- Depends upon ucf, libjson-c2, php5
- Build-depends upon php5, pkg-config, pkg-php-tools, libjson-c-dev
- Does not daemonize
- Does not itself listen on the network
- Intended uses include handling untrusted network input in an always-on
  fashion
- Package pre,post install,delete scripts clean up after each other
- No initscripts
- No Dbus services
- No setuid
- No binaries in /bin, /sbin/, /usr/bin, /usr/sbin
- No sudoers
- No udev rules
- No cronjobs
- Good tests run in build
- Clean build logs

- No subprocesses spawned
- Memory management looked safe
- Files that are opened for reading and writing are under control of API
  users
- Logging looked safe
- No use of environment variables
- No management of privileges
- Does not perform networking itself
- No encryption
- No sql
- No tmp files
- No WebKit
- No PolicyKit

php-json is some complicated code; a large portion consists of an entirely
hand-written combined lexer / parser written as a state machine rather
than as a recursive descent parser (which would be easier to write by hand
than a state machine). So while I have suspicions that problems may exist
in the parsing code by the sheer complexity of it, it is well-written and
should be maintainable. The included tests lend to supporting the package.

Security team ACK for promoting php-json to main.
No investigation into php-pkg-tools has been made.

Thanks

Changed in php-json (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

php-json is fine from a packaging/maintainability POV. Approved.

Changed in php-json (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

pkg-php-tools is fine too! Small and simple. Approved.

Now php5 just needs to move these two packages back to Recommends from Suggests.

Changed in pkg-php-tools (Ubuntu):
status: New → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
php-json 1.3.2-2 in trusty: universe/misc -> main
php5-json 1.3.2-2 in trusty amd64: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty arm64: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty armhf: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty i386: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty powerpc: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty ppc64el: universe/php/optional/100% -> main
7 publications overridden.

Override component to main
pkg-php-tools 1.9 in trusty: universe/php -> main
pkg-php-tools 1.9 in trusty amd64: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty arm64: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty armhf: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty i386: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty powerpc: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty ppc64el: universe/php/extra/100% -> main
7 publications overridden.

Changed in php-json (Ubuntu):
status: Fix Committed → Fix Released
Changed in pkg-php-tools (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.8+dfsg-2ubuntu1

---------------
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
  * Previously undocumented changes:
    - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
  * Drop changes:
    - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe: php5-json and pkg-php-tools are now in
      main (LP: #1242726).
    - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
      Debian.
  * d/tests/mod-php: rename from mod_php; the previous name was illegal.
  * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
  * d/p/use-system-timezone.patch, d/tests/system-timezone: use system
    timezone by default, instead of requiring it to be configured.
    (LP: #1244343).
 -- Robie Basak <email address hidden> Tue, 21 Jan 2014 15:40:58 +0000

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.