[MIR] php5-common is missing dependency on php5-json

Bug #1242726 reported by haggi on 2013-10-21
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
php-json (Ubuntu)
High
Unassigned
php5 (Ubuntu)
High
Unassigned
pkg-php-tools (Ubuntu)
Undecided
Unassigned

Bug Description

MIR for php-json:

[Availability]

Available in universe; successfully built on all architectures.

[Rationale]

Useful functionality for a large proportion of php users; JSON support is
pretty essential for many web services nowadays.

New dependency of php5 (see background information below)

[Security]

JSON parsing is security sensitive; particular in web applications for which
PHP is often used. This package is a wrapper around json-c which is in main
already. We do need to make sure that the wrapper is not vulnerable, but the
JSON parsing itself is already covered by json-c in main.

No other relevant security history. CVE-2009-1271 appears to refer to the JSON
module bundled with PHP and not this alternative implementation.

No suid or sgid binaries. No executables in /sbin or /usr/sbin. No daemons. No
use of privileged ports.

This is an add-on to PHP and an expected use (parsing untrusted input) is
security sensitive.

[QA]

Works with no further configuration or documentation.

No debconf questions.

No long-term outstanding bugs upstream. The only bug in Debian appears to
relate to a edge case difference in error handling behaviour, which I'm not
sure is a bug at all. No relevant bugs in Ubuntu.

Outstanding Lintian bugs all refer to PHP packaging issues; this package is
maintained by the PHP maintainer in Debian.

No exotic hardware.

Test suite is run during package build using dh_auto_test which fails on test
suite failure.

No watch file.

[Dependencies]

All in main, including libjson-c-dev.

[Standards compliance]

Packaging uses debhelper 9, standard phpize and dh-php5.

[Maintenance]

This is a straightforward wrapper around json-c. Except to trivially keep
synced with Debian.

The Ubuntu Server team will subscribe to the package.

[Background Information]

The JSON module bundled by PHP upstream is not DFSG compliant due to a problem
with a licence term. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692613 for details. So Debian
does not ship with the embedded JSON module, but instead ships php-json
(binary: phphp5-json) which is an independent implementation, and php depends
on it.

For parity with Debian and common use of PHP, we should have php-json in main.
Otherwise we cannot depend on php5-json, and so JSON functionality in PHP will
be broken by default.

[Original Description]

After the upgrade to saucy the function json_encode is missing from the current version of php5.

It should be always there on PHP versions >= 5.2.0 (not a pecl module anymore) [1]

to reproduce:
---
user@vm:~$ echo '<?php json_encode(true);' | php
PHP Fatal error: Call to undefined function json_encode() in - on line 1
PHP Stack trace:
PHP 1. {main}() -:0
user@vm:~$ php -v
PHP 5.5.3-1ubuntu2 (cli) (built: Oct 9 2013 14:49:12)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.3, Copyright (c) 2002-2013, by Derick Rethans
---

[1] http://php.net/manual/en/function.json-encode.php

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: php5 (not installed)
ProcVersionSignature: Ubuntu 3.11.0-12.19-generic 3.11.3
Uname: Linux 3.11.0-12-generic x86_64
ApportVersion: 2.12.5-0ubuntu2
Architecture: amd64
Date: Mon Oct 21 16:30:04 2013
InstallationDate: Installed on 2013-06-03 (140 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
MarkForUpload: True
SourcePackage: php5
UpgradeStatus: Upgraded to saucy on 2013-10-21 (0 days ago)

CVE References

haggi (jpicht85) wrote :
haggi (jpicht85) wrote :

adding php info

Ondřej Surý (ondrej) wrote :

It's not missing, it has been split to php5-json package due the licensing reasons.

The fix is to install php5-json package:

sudo apt-get install php5-json

summary: - json_encode php function missing
+ php5-common is missing dependency on php5-json

To Ubuntu maintainers - cherry-pick c3d4814177.

Robie Basak (racb) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

I was unaware of the licensing problem and swap-out of PHP's json module when I merged PHP last during Saucy development. I had assumed that it would be treated by PHP developers as an add-on without the expectation that it would be available by default. I now understand that this may not be the case, and that PHP developers expect a json module to be available by default.

Since php5-json is a separate package, it has ended up in universe in Ubuntu. So we cannot simply depend on it or recommend it from php5-common since php5-common is in main.

As a workaround, users can still install php5-json from universe, though being in universe it is community supported only (eg. for security updates).

I suppose that we need to pull php5-json (source: php-json) into main, or if we cannot then we must conclude that we're going to require users and developers to explicitly install php5-json from universe if they want it.

Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Robie Basak (racb) wrote :

This needs:

For Trusty:

An MIR approved for php-json.
An upload for php5-common to depend on php-json in Trusty.
Move php-json to main in Trusty.

For Saucy:

Agreement from the SRU team to move php-json to main in Saucy.
An upload for php5-common to depend on php-json in Saucy.
Move php-json to main in Saucy.

description: updated
summary: - php5-common is missing dependency on php5-json
+ [MIR] php5-common is missing dependency on php5-json
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php-json (Ubuntu):
status: New → Confirmed
Robie Basak (racb) on 2013-10-23
Changed in php-json (Ubuntu):
importance: Undecided → High
Michael Terry (mterry) wrote :

Assigning to Jamie, so he can tell me whether this needs a security review. It just wraps the C API, but maybe there are unique considerations here.

Changed in php-json (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in php-json (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Seth Arnold (seth-arnold) wrote :

I reviewed php-json version 1.3.2-2 as checked into trusty. This should
not be considered a full security audit, but rather a quick gauge of
maintainability.

One of the dependencies of php-json is in universe, pkg-php-tools, not
main. pkg-php-tools needs to be addressed before php-json can be promoted.

- php-json provides a json parser for use in php programs
- Depends upon ucf, libjson-c2, php5
- Build-depends upon php5, pkg-config, pkg-php-tools, libjson-c-dev
- Does not daemonize
- Does not itself listen on the network
- Intended uses include handling untrusted network input in an always-on
  fashion
- Package pre,post install,delete scripts clean up after each other
- No initscripts
- No Dbus services
- No setuid
- No binaries in /bin, /sbin/, /usr/bin, /usr/sbin
- No sudoers
- No udev rules
- No cronjobs
- Good tests run in build
- Clean build logs

- No subprocesses spawned
- Memory management looked safe
- Files that are opened for reading and writing are under control of API
  users
- Logging looked safe
- No use of environment variables
- No management of privileges
- Does not perform networking itself
- No encryption
- No sql
- No tmp files
- No WebKit
- No PolicyKit

php-json is some complicated code; a large portion consists of an entirely
hand-written combined lexer / parser written as a state machine rather
than as a recursive descent parser (which would be easier to write by hand
than a state machine). So while I have suspicions that problems may exist
in the parsing code by the sheer complexity of it, it is well-written and
should be maintainable. The included tests lend to supporting the package.

Security team ACK for promoting php-json to main.
No investigation into php-pkg-tools has been made.

Thanks

Changed in php-json (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Michael Terry (mterry) wrote :

php-json is fine from a packaging/maintainability POV. Approved.

Changed in php-json (Ubuntu):
status: Confirmed → Fix Committed
Michael Terry (mterry) wrote :

pkg-php-tools is fine too! Small and simple. Approved.

Now php5 just needs to move these two packages back to Recommends from Suggests.

Changed in pkg-php-tools (Ubuntu):
status: New → Fix Committed
Matthias Klose (doko) wrote :

Override component to main
php-json 1.3.2-2 in trusty: universe/misc -> main
php5-json 1.3.2-2 in trusty amd64: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty arm64: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty armhf: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty i386: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty powerpc: universe/php/optional/100% -> main
php5-json 1.3.2-2 in trusty ppc64el: universe/php/optional/100% -> main
7 publications overridden.

Override component to main
pkg-php-tools 1.9 in trusty: universe/php -> main
pkg-php-tools 1.9 in trusty amd64: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty arm64: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty armhf: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty i386: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty powerpc: universe/php/extra/100% -> main
pkg-php-tools 1.9 in trusty ppc64el: universe/php/extra/100% -> main
7 publications overridden.

Changed in php-json (Ubuntu):
status: Fix Committed → Fix Released
Changed in pkg-php-tools (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.8+dfsg-2ubuntu1

---------------
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
  * Previously undocumented changes:
    - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
  * Drop changes:
    - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe: php5-json and pkg-php-tools are now in
      main (LP: #1242726).
    - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
      Debian.
  * d/tests/mod-php: rename from mod_php; the previous name was illegal.
  * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
  * d/p/use-system-timezone.patch, d/tests/system-timezone: use system
    timezone by default, instead of requiring it to be configured.
    (LP: #1244343).
 -- Robie Basak <email address hidden> Tue, 21 Jan 2014 15:40:58 +0000

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers