File php7.spec of Package php7
#
# spec file for package php7
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
%global flavor @BUILD_FLAVOR@%{nil}
%define php_name php7
%if "%{flavor}" == "apache2"
%define pprefix apache2-mod_
%define psuffix %{nil}
%endif
%if "%{flavor}" == "embed" || "%{flavor}" == "fastcgi" || "%{flavor}" == "fpm"
%define pprefix %{nil}
%define psuffix -%{flavor}
%endif
%if "%{flavor}" == "test"
%define pprefix %{nil}
%define psuffix -test
%endif
%if "%{flavor}" == ""
%define pprefix %{nil}
%define psuffix %{nil}
%endif
%define debug_build 0
%define asan_build 0
%global apiver 20190902
%global zendver 20190902
%define extension_dir %{_libdir}/%{php_name}/extensions
%define php_sysconf %{_sysconfdir}/%{php_name}
%define build_firebird 0
%define build_sodium 1
%define build_argon2 0
%if 0%{?suse_version} >= 1500
%define build_argon2 1
%endif
#next line to allow build to finish
%define _unpackaged_files_terminate_build 0
Name: %{pprefix}%{php_name}%{psuffix}
Version: 7.4.33
Release: 0
Summary: Interpreter for the PHP scripting language version 7
License: PHP-3.01
Group: Development/Libraries/PHP
URL: https://secure.php.net
Source0: https://secure.php.net/distributions/php-%{version}.tar.xz
Source1: mod_php7.conf
Source5: README.macros
Source6: macros.php
Source8: https://secure.php.net/distributions/php-%{version}.tar.xz.asc
Source9: %{php_name}.keyring
Source11: %{php_name}.rpmlintrc
Source12: php-fpm.tmpfiles.d
Source100: build-test.sh
## SUSE specific patches
# adjust includedir
Patch0: php-phpize.patch
# reproducible builds: (D)eterministic archives; --enable-deterministic-archives is not used in binutils
Patch1: php-ar-flags.patch
# adjust includedir
Patch2: php-php-config.patch
# SUSE specific ini defaults
Patch3: php-ini.patch
# reproducible builds: don't check for CPU instruction sets (buildhosts)
Patch4: php-no-check-cpu.patch
# use of the system timezone database
Patch5: php-systzdata-v19.patch
# adjust upstream systemd unit to SUSE needs
Patch6: php-systemd-unit.patch
# install mod_phpN into correct place
Patch7: php-install-mod_php.patch
# install embed into correct place
Patch8: php-embed.patch
# PATCH-FEATURE-OPENSUSE use ordered input files for reproducible /usr/bin/phar.phar
Patch9: php-sort-filelist-phar.patch
## Bugfix patches
# following patch is to fix configure tests for crypt; the aim is to have php
# built against glibc's crypt; problem is, that our glibc doesn't support extended
# DES, so as soon as upstream fixes this, don't forgot to remove extended DES
# from their checking as I indicated in crypt-tests.patch yet, or php will
# silently use his own implementation again
Patch12: php-crypt-tests.patch
# should be upstreamed, will do later
Patch17: php-date-regenerate-lexers.patch
# PATCH-FEATURE-UPSTREAM https://github.com/php/php-src/pull/6564
Patch19: php-build-reproducible-phar.patch
# https://github.com/php/php-src/commit/b3646440b1808abf0874b6f89027ce53ec5da03f
Patch20: php7-gd-removed-unused-constants.patch
# CVE-2022-31631 [bsc#1206958], Due to an integer overflow PDO:quote() may return unquoted string
Patch21: php7-CVE-2022-31631.patch
# CVE-2023-0568 [bsc#1208366], NULL byte off-by-one in php_check_specific_open_basedir
Patch22: php7-CVE-2023-0568.patch
# https://github.com/php/php-src/commit/a92acbad873a05470af1a47cb785a18eadd827b5, relates to CVE-2023-0567 [bsc#1208388]
Patch23: php7-crypt-possible-buffer-overread.patch
# CVE-2023-0662 [bsc#1208367], DoS vulnerability when parsing multipart request body
Patch24: php7-CVE-2023-0662.patch
# CVE-2022-4900 [bsc#1209537], potential buffer overflow via PHP_CLI_SERVER_WORKERS environment variable
Patch25: php7-CVE-2022-4900.patch
# CVE-2023-3247 [bsc#1212349], Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP
Patch26: php7-CVE-2023-3247.patch
# CVE-2023-3824 [bsc#1214103], buffer overflows in phar_dir_read()
Patch27: php7-CVE-2023-3824.patch
# CVE-2023-3823 [bsc#1214106], XML loading external entity without being enabled
Patch28: php7-CVE-2023-3823.patch
# CVE-2024-3096 [bsc#1222858], password_verify can erroneously return true, opening ATO risk
Patch29: php7-CVE-2024-3096.patch
# CVE-2024-2756 [bsc#1222857], host/secure cookie bypass due to partial fix
Patch30: php7-CVE-2024-2756.patch
# CVE-2024-5458 [bsc#1226073], filter bypass in filter_var FILTER_VALIDATE_URL
Patch31: php7-CVE-2024-5458.patch
# CVE-2024-8927 [bsc#1231358], cgi.force_redirect configuration is bypassable due to an environment variable collision
Patch32: php7-CVE-2024-8927.patch
# CVE-2024-8925 [bsc#1231360], erroneous parsing of multipart form data in HTTP POST requests leads to legitimate data not being processed
Patch33: php7-CVE-2024-8925.patch
# CVE-2024-9026 [bsc#1231382], pollution of worker output logs in PHP-FPM
Patch34: php7-CVE-2024-9026.patch
BuildRequires: apache-rpm-macros
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: curl
BuildRequires: db-devel
BuildRequires: freetds-devel
BuildRequires: gcc-c++
BuildRequires: gmp-devel
BuildRequires: gpg2
BuildRequires: libapparmor-devel
BuildRequires: libbz2-devel
BuildRequires: libtidy-devel
BuildRequires: libtiff-devel
BuildRequires: libtool
BuildRequires: lmdb-devel
BuildRequires: imap-devel
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: openldap2-devel
BuildRequires: pkgconfig
BuildRequires: postfix
BuildRequires: postgresql-devel
BuildRequires: re2c
BuildRequires: tcpd-devel
BuildRequires: update-alternatives
BuildRequires: xz
BuildRequires: pkgconfig(enchant)
BuildRequires: pkgconfig(gdlib) >= 2.1.0
BuildRequires: pkgconfig(icu-i18n)
BuildRequires: pkgconfig(icu-io)
BuildRequires: pkgconfig(icu-uc) >= 50.1
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(krb5-gssapi)
BuildRequires: pkgconfig(libcurl) >= 7.15.5
BuildRequires: pkgconfig(libedit)
BuildRequires: pkgconfig(libpcre2-8) >= 10.30
BuildRequires: pkgconfig(libsasl2)
BuildRequires: pkgconfig(libxml-2.0) >= 2.7.6
BuildRequires: pkgconfig(libxslt) >= 1.1.0
BuildRequires: pkgconfig(libzip) >= 0.11
BuildRequires: pkgconfig(odbc)
BuildRequires: pkgconfig(oniguruma)
BuildRequires: libopenssl-1_1-devel
BuildRequires: pkgconfig(sqlite3) > 3.7.4
BuildRequires: pkgconfig(zlib) >= 1.2.0.4
%if %{build_firebird}
# firebird-devel was merged into libfbclient2-devel for firebird 3
BuildRequires: firebird-devel
BuildRequires: libfbclient2-devel
%endif
%if %{build_sodium}
BuildRequires: pkgconfig(libsodium) >= 1.0.8
%endif
%if %{build_argon2}
BuildRequires: pkgconfig(libargon2)
%endif
%if "%{flavor}" == "test"
BuildRequires: apache-rex
BuildRequires: mod_php_any = %{version}
BuildRequires: php-cli = %{version}
BuildRequires: php-fpm = %{version}
%apache_rex_deps
%endif
%if "%{flavor}" == ""
Requires: php-sapi = %{version}
Requires: timezone
Requires(pre): group(www)
Requires(pre): user(wwwrun)
Recommends: php-ctype = %{version}
Recommends: php-dom = %{version}
Recommends: php-iconv = %{version}
Recommends: php-json = %{version}
Recommends: php-openssl = %{version}
Recommends: php-sqlite = %{version}
Recommends: php-tokenizer = %{version}
Recommends: php-xmlreader = %{version}
Recommends: php-xmlwriter = %{version}
# Recommends instead of Requires smtp_daemon bsc#1115213
Recommends: smtp_daemon
# Suggest php-* = %%{version} instead of php-* [bsc#1022158c#4]
Suggests: php-cli = %{version}
Suggests: php-gd = %{version}
Suggests: php-gettext = %{version}
Suggests: php-mbstring = %{version}
Suggests: php-mysql = %{version}
## Provides
Provides: php = %{version}
#Provides: php-api = %{apiver}
#Provides: php-zend-abi = %{zendver}
#Provides: php(api) = %{apiver}
#Provides: php(zend-abi) = %{zendver}
Provides: php-imap
# builtin extensions
#Provides: php = %{version}
#Provides: php-date = %{version}
#Provides: php-filter = %{version}
#Provides: php-hash = %{version}
#Provides: php-pcre = %{version}
#Provides: php-reflection = %{version}
#Provides: php-session = %{version}
#Provides: php-simplexml = %{version}
#Provides: php-spl = %{version}
#Provides: php-xml = %{version}
#Provides: zend = %{zendver}
Obsoletes: php < %{version}
# conflicts with php5 and should replace it
Obsoletes: php5
Obsoletes: php7-mcrypt
Conflicts: php5
Conflicts: php72
%description
PHP is a server-side HTML embedded scripting language designed
primarily for web development but also used as a general-purpose
programming language.
This package contains the base files for all subpackages and
must be installed in order to use PHP. Additionally, extension
modules and server modules (e.g. for Apache) may be installed.
%package devel
# this is required by the installed development headers
Summary: PHP7 development files for C/C++ extensions
Group: Development/Libraries/PHP
Requires: %{php_name}-pear
Requires: %{php_name}-pecl
Requires: glibc-devel
Requires: php = %{version}
Requires: pkgconfig(libpcre2-8) >= 10.30
Requires: pkgconfig(libxml-2.0) >= 2.7.6
Provides: php-devel = %{version}
Obsoletes: php5-devel
%description devel
PHP is a server-side HTML embedded scripting language designed
primarily for web development but also used as a general-purpose
programming language.
This package contains the C headers to build PHP extensions.
%endif
%if "%{flavor}" == "test"
Requires: php-cli = %{version}
%description
Run php upstream testsuite.
%endif
%if "%{flavor}" == ""
%package imap
Summary: IMAP protocol support for PHP
Group: Development/Libraries/PHP
Requires: php = %{version}
Provides: php-imap = %{version}
Obsoletes: php5-imap
%description imap
These functions enable you to operate with the IMAP protocol, as well
as the NNTP, POP3 and local mailbox access methods.
%endif
%prep
%setup -q -n php-%{version}
cp %{SOURCE5} .
%patch0
%patch1 -p1
%patch2
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch12 -p1
%patch17 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
# use system pcre2
rm -r ext/pcre/pcre2lib
# get parsers regenerated
for parser in $(find -type f -name "*.re");do
rm -v ${parser%.*}.c
done
# Safety check for API version change.
vapi=$(sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h)
if test "x${vapi}" != "x%{apiver}"; then
: Error: Upstream API version is now ${vapi}, expecting %{apiver}.
: Update the apiver macro and rebuild.
exit 1
fi
vzend=$(sed -n '/#define ZEND_MODULE_API_NO/{s/^[^0-9]*//;p;}' Zend/zend_modules.h)
if test "x${vzend}" != "x%{zendver}"; then
: Error: Upstream Zend ABI version is now ${vzend}, expecting %{zendver}.
: Update the zendver macro and rebuild.
exit 1
fi
%build
# regenerate configure etc.
./buildconf --force
# export flags
CFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing"
CXXFLAGS="%{optflags} -O3 -fPIE -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing"
%if %{build_firebird}
CFLAGS="$CFLAGS -I/usr/include/firebird"
CXXFLAGS="$CXXFLAGS -I/usr/include/firebird"
%endif
%if %{debug_build}
CFLAGS="$CFLAGS -Og"
CXXFLAGS="$CXXFLAGS -Og"
%endif
export CFLAGS
export CXXFLAGS
export LDFLAGS="-pie"
export NO_INTERACTION=true
# Totally fake, it wasnt and will never be reliable anyway.
export PHP_UNAME="Linux suse 2.6.36 #1 SMP 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux"
# where to install extensions
export EXTENSION_DIR=%{extension_dir}
# Fix build-cli for arm and aarch64
export LIBS=-ltinfo
# build function
Build()
{
sapi=$1
shift
%configure \
--datadir=%{_datadir}/%{php_name} \
--with-libdir=%{_lib} \
--includedir=%{_includedir} \
--sysconfdir=%{php_sysconf}/$sapi \
--with-config-file-path=%{php_sysconf}/$sapi \
--with-config-file-scan-dir=%{php_sysconf}/conf.d \
--with-libxml \
--enable-session \
--with-external-pcre \
--enable-xml \
--enable-simplexml \
--enable-filter \
--disable-debug \
--enable-inline-optimization \
--disable-rpath \
--disable-static \
--enable-shared \
--with-pic \
--with-gnu-ld \
--enable-re2c-cgoto \
--with-system-tzdata=%{_datadir}/zoneinfo \
--with-mhash \
--disable-phpdbg \
%if %{build_argon2}
--with-password-argon2=%{_usr} \
%endif
"$@" || { cat config.log; exit 1; }
# Some modules are builtin, reasons:
# - libxml can not be shared (and is needed by PEAR)
# - spl doesn't build shared
# - simplexml is needed by spl
# - session need to be builtin, otherwise sqlite and other session engines fail
# - pcre is needed for PEAR
# - filter is builtin due security reasons
# We have still have harcoded RPATH in some modules
sed -i -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
-e 's|^runpath_var=LD_RUN_PATH|runpath_var=LIBTOOL_IS_BROKED|g' \
libtool
# build mod_phpN.so instead of libphpN.so
# rename does not suffice, see bsc#1089487
if [ $sapi == apache2 ]; then
sed -i 's/libphp/mod_php/' Makefile
fi
%if %{asan_build}
sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \
-e 's/\(^EXTRA_LIBS =.*\)/\1 -lasan/' \
Makefile
%endif
make %{?_smp_mflags}
}
%if "%{flavor}" == ""
Build cli \
--enable-cli \
--with-imap=shared \
--with-imap-ssl \
--disable-phar \
--disable-cgi \
--disable-all
# --enable-bcmath=shared \
# --enable-calendar=shared \
# --enable-ctype=shared \
# --enable-dom=shared \
# --enable-exif=shared \
# --enable-ftp=shared \
# --enable-mbstring=shared \
# --enable-mbregex \
# --enable-mysqlnd=shared \
# --enable-pcntl=shared \
# --enable-posix=shared \
# --enable-shmop=shared \
# --enable-soap=shared \
# --enable-sockets=shared \
# --enable-sysvmsg=shared \
# --enable-sysvsem=shared \
# --enable-sysvshm=shared \
# --enable-tokenizer=shared \
# --enable-fileinfo=shared \
# --with-zlib=shared \
# --with-bz2=shared \
# --with-curl=shared \
# --enable-gd=shared \
# --with-external-gd \
# --with-gettext=shared \
# --with-gmp=shared \
# --with-iconv=shared \
# --with-kerberos \
# --enable-json=shared \
# --with-ldap=shared \
# --with-ldap-sasl \
# --with-libedit=shared \
# --with-mysql-sock=%{_rundir}/mysql/mysql.sock \
# --with-mysqli=shared,mysqlnd \
# --with-unixODBC=shared,%{_usr} \
# --with-openssl=shared \
# --with-pgsql=shared,%{_usr} \
# --enable-phar=shared \
# --with-enchant=shared \
# --with-snmp=shared \
# --with-xmlrpc=shared \
# --enable-xmlreader=shared \
# --enable-xmlwriter=shared \
# --with-xsl=shared \
# --with-tidy=shared,%{_usr} \
# --enable-dba=shared \
# --with-db4=%{_usr} \
# --with-lmdb=%{_usr} \
# --without-gdbm \
# --with-cdb \
# --enable-pdo=shared \
# --with-pdo-sqlite=shared \
# --with-sqlite3=shared \
# --with-pdo-mysql=shared,mysqlnd \
#%if %{build_firebird}
# --with-pdo-firebird=shared \
#%endif
# --with-pdo-pgsql=shared,%{_usr} \
# --with-pdo-odbc=shared,unixODBC,%{_usr} \
#%if %{build_sodium}
# --with-sodium=shared \
#%endif
# --enable-opcache=shared \
# --with-zip=shared \
# --enable-intl=shared \
# --disable-cgi
%endif
%check
%if %{asan_build}
# no need for ASAN build
exit 0
%endif
%if "%{flavor}" == "test"
# Run tests, using the CLI SAPI
export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 LANG=POSIX LC_ALL=POSIX
unset TZ
# We save results for further investigation for QA
TEST_PHP_EXECUTABLE=/usr/bin/php php run-tests.php | tee testresults.txt || true
set +x
for f in $(find .. -name "*.diff" -type f -print); do
echo "TEST FAILURE: $f --"
cat "$f"
echo "-- $f result ends."
done
set -x
unset NO_INTERACTION REPORT_EXIT_STATUS
# Apache HTTPD runnable examples test
%apache_rex_check -m libs mod_php-basic
%apache_rex_check -m libs -b sapi/fpm mod_proxy_fcgi-php-fpm mod_proxy_fcgi-php-fpm-auth-RewriteRule mod_proxy_fcgi-php-fpm-CGIPassAuth
exit 0
%endif
%if "%{flavor}" == ""
# check if we link against system libcrypt
if [ -z "$(ldd sapi/cli/php | grep libcrypt.so)" ]; then
echo 'php does not link against system libcrypt.'
exit 1
fi
# check if we link against system libgd
#if [ -z "$(ldd modules/gd.so | grep libgd.so)" ]; then
# echo 'php-gd does not link against system libgd.'
# exit 1
#fi
%endif
%install
# do the actual installation
%if "%{flavor}" == ""
make install INSTALL_ROOT=%{buildroot}
# generate php.ini from php.ini-production:
install -dm 755 %{buildroot}%{_datadir}/%{php_name}
install -dm 755 %{buildroot}%{php_sysconf}/conf.d
install -dm 755 %{buildroot}%{php_sysconf}/cli
sed "s=@extdir@=%{extension_dir}=" php.ini-production | sed -r 's/^(html_errors|implicit_flush|max_execution_time|register_argc_argv)/;\1/' > %{buildroot}%{php_sysconf}/cli/php.ini
# prepare configuration files for each extension
for f in %{buildroot}%{extension_dir}/*; do
if test ${f##*.} = a; then
rm $f
continue
fi
if test ${f##*.} = so; then
f=${f%.so}
fi
ext=${f##*/}
echo "; comment out next line to disable $ext extension in php" > %{buildroot}%{php_sysconf}/conf.d/$ext.ini
zend_=''
if [ $ext == "opcache" ]; then
# https://secure.php.net/manual/en/opcache.installation.php
zend_='zend_'
fi
echo "${zend_}extension=$ext.so" >> %{buildroot}%{php_sysconf}/conf.d/$ext.ini
done
# directory for sessions
install -d %{buildroot}%{_localstatedir}/lib/%{php_name}
# fix symlink (bnc#734176)
ln -s %{_bindir}/php %{buildroot}%{_bindir}/%{php_name}
# install the macros file:
install -d %{buildroot}%{_rpmconfigdir}/macros.d
sed -e "s/@PHP_APIVER@/%{apiver}/;s/@PHP_ZENDVER@/%{zendver}/" %{SOURCE6} > macros.php
install -m 644 -c macros.php %{buildroot}%{_rpmconfigdir}/macros.d/macros.php
# install missing SAPI headers for embed
install -d %{buildroot}%{_includedir}/%{php_name}/sapi/embed
install -m 644 sapi/embed/php_embed.h %{buildroot}%{_includedir}/%{php_name}/sapi/embed/php_embed.h
# mysqlnd must be loaded before mysqli (undefined symbol: mysqlnd_global_stats)
# mv %{buildroot}%{php_sysconf}/conf.d/{,20-}mysqlnd.ini
%endif
%if "%{flavor}" == ""
%files
%defattr(-, root, root)
%doc README.md CODING_STANDARDS.md EXTENSIONS NEWS UPGRADING CONTRIBUTING.md README.REDIST.BINS UPGRADING.INTERNALS
%license LICENSE
%dir %{_datadir}/%{php_name}
%dir %{_libdir}/%{php_name}
%dir %{extension_dir}
%dir %{php_sysconf}
%dir %{php_sysconf}/conf.d
%attr(0755, %{apache_user}, root) %dir %{_localstatedir}/lib/%{php_name}
#%files cli
#%defattr(-, root, root)
#%config(noreplace) %{php_sysconf}/cli/php.ini
#%dir %{php_sysconf}/cli
#%{_bindir}/php
#%{_bindir}/%{php_name}
#%{_mandir}/man1/php.1%{?ext_man}
%files devel
%defattr(-, root, root)
%doc README.macros
%{_mandir}/man1/phpize.1%{?ext_man}
%{_mandir}/man1/php-config.1%{?ext_man}
%{_includedir}/%{php_name}
%{_bindir}/phpize
%{_bindir}/php-config
%{_datadir}/%{php_name}/build
%{_rpmconfigdir}/macros.d/macros.php
%endif
%if "%{flavor}" == ""
%files imap
%defattr(-, root, root)
%{extension_dir}/imap.so
%config(noreplace) %{php_sysconf}/conf.d/imap.ini
%endif
%if "%{flavor}" == "test"
%files
%defattr(-, root, root)
%doc testresults.txt
%endif
%changelog
