Accepting request 1328029 from devel:languages:php

remove a patch, which breaks phar.phar [bsc#1256905]

OBS-URL: https://build.opensuse.org/request/show/1328029
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/php8?expand=0&rev=100

php-8.4.16.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEBhbpPZWvRxJD4mdhdwQm4X67s90FAmlBhAYACgkQdwQm4X67
-s91cJA/6ApQMxSiKzPNb9H16elfGQ5xxpPdOiLphtfSXDrwfAkuXTMGLa1H6wM3y
-pTl0dLE8n13lHoUHFhI6Ytw24ny+NEewWjODOc0N7WT8JaJJGdtV9S3gQVukzxPV
-VgfB6Ikro0WDAaN5kbYt4MKlICvwBvVOyQ/qNR0NjzyIcnYKA2EiDM6vgImLW34c
-6zys7H/pR9HZS6gQMwNXndHuyzkgsy5T7+FzJq0Ihj1V0ymWJFm9VOVIEos1siQ6
-547VF0W5xj7nVDZStt7hkAaJUBYWqN2vrchRsO3uSW+cPO8XNSSjtvs8l0pb3qm/
-nr4HKqC4fDcp5h5L7PlePhaQFP8G6lyaKi85gfzC44pfUGZixjkwuLE71L4QFQTa
-YE7FaHgjoC6fxiSDp1MK5a+1REPuDJFAzSBs54JlgsiQIjM/SqZbhnzaKhXLLw6M
-ovU2/GOvGhslj9EnFnzFOUrNfiG0v2cFNbZ7AYjPt6yRov32n0SV6QCkv2+q0KEK
-C1isYyy4ofTQKVDoQP1Fcb6USyDPHV6b2CvTHYwR2/+/mT8w3xI/NEgQqr53fy8x
-eZxYSMFXJ6rx5TRZzKdPwgzPu3j5IZSmXII9am6bJSYKyp8hxWq6DJ+Oatk06CAA
-mP91xlA82UcM0XGH9ReRTzrV7C7KBE6jRkj6A3HjImkYbeDR6+A=
-=LDlD
------END PGP SIGNATURE-----

php-8.4.17.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:28b234e347286158cae921d61283eb1169d89bc9d2e5f5976567260ff38b0bfa
+size 13670792

php-8.4.17.tar.xz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSdf5mgy48FyKaVjWJWqXr3YAo5pgUCaWaERAAKCRBWqXr3YAo5
+prxcAP9z/3HjeI9EHFbHjQ2PVK5iRPq17u5FLe6WymQKCkLpYgEA2R9HJmWVRjaV
+ND2gKyWhPt3WwCKQgN/FupiJMxJMIwk=
+=BRQZ
+-----END PGP SIGNATURE-----

php-build-reproducible-phar.patch

@@ -16,11 +16,11 @@ Signed-off-by: Arjen de Korte <build+github@de-korte.org>
  ext/phar/zip.c           |  2 +-
  6 files changed, 18 insertions(+), 5 deletions(-)
 
-Index: php-8.4.16/ext/phar/phar.c
+Index: php-8.4.17/ext/phar/phar.c
 ===================================================================
---- php-8.4.16.orig/ext/phar/phar.c
-+++ php-8.4.16/ext/phar/phar.c
-@@ -2936,7 +2936,7 @@ int phar_flush_ex(phar_archive_data *pha
+--- php-8.4.17.orig/ext/phar/phar.c
++++ php-8.4.17/ext/phar/phar.c
+@@ -2942,7 +2942,7 @@ int phar_flush_ex(phar_archive_data *pha
  			4: metadata-len
  			+: metadata
  		*/
@@ -29,11 +29,11 @@ Index: php-8.4.16/ext/phar/phar.c
  		phar_set_32(entry_buffer, entry->uncompressed_filesize);
  		phar_set_32(entry_buffer+4, mytime);
  		phar_set_32(entry_buffer+8, entry->compressed_filesize);
-Index: php-8.4.16/ext/phar/phar_internal.h
+Index: php-8.4.17/ext/phar/phar_internal.h
 ===================================================================
---- php-8.4.16.orig/ext/phar/phar_internal.h
-+++ php-8.4.16/ext/phar/phar_internal.h
-@@ -315,6 +315,21 @@ static inline php_stream *phar_get_pharf
+--- php-8.4.17.orig/ext/phar/phar_internal.h
++++ php-8.4.17/ext/phar/phar_internal.h
+@@ -316,6 +316,21 @@ static inline php_stream *phar_get_pharf
  	return PHAR_G(cached_fp)[phar->phar_pos].fp;
  }
  
@@ -55,10 +55,10 @@ Index: php-8.4.16/ext/phar/phar_internal.h
  static inline enum phar_fp_type phar_get_fp_type(const phar_entry_info *entry)
  {
  	if (!entry->is_persistent) {
-Index: php-8.4.16/ext/phar/stream.c
+Index: php-8.4.17/ext/phar/stream.c
 ===================================================================
---- php-8.4.16.orig/ext/phar/stream.c
-+++ php-8.4.16/ext/phar/stream.c
+--- php-8.4.17.orig/ext/phar/stream.c
++++ php-8.4.17/ext/phar/stream.c
 @@ -473,7 +473,7 @@ static int phar_stream_flush(php_stream
  	phar_entry_data *data = (phar_entry_data *) stream->abstract;
  
@@ -68,10 +68,10 @@ Index: php-8.4.16/ext/phar/stream.c
  		ret = phar_flush(data->phar, &error);
  		if (error) {
  			php_stream_wrapper_log_error(stream->wrapper, REPORT_ERRORS, "%s", error);
-Index: php-8.4.16/ext/phar/tar.c
+Index: php-8.4.17/ext/phar/tar.c
 ===================================================================
---- php-8.4.16.orig/ext/phar/tar.c
-+++ php-8.4.16/ext/phar/tar.c
+--- php-8.4.17.orig/ext/phar/tar.c
++++ php-8.4.17/ext/phar/tar.c
 @@ -972,7 +972,7 @@ int phar_tar_flush(phar_archive_data *ph
  	char *buf, *signature, sigbuf[8];
  
@@ -81,10 +81,10 @@ Index: php-8.4.16/ext/phar/tar.c
  	entry.is_modified = 1;
  	entry.is_crc_checked = 1;
  	entry.is_tar = 1;
-Index: php-8.4.16/ext/phar/util.c
+Index: php-8.4.17/ext/phar/util.c
 ===================================================================
---- php-8.4.16.orig/ext/phar/util.c
-+++ php-8.4.16/ext/phar/util.c
+--- php-8.4.17.orig/ext/phar/util.c
++++ php-8.4.17/ext/phar/util.c
 @@ -701,7 +701,7 @@ phar_entry_data *phar_get_or_create_entr
  
  	phar_add_virtual_dirs(phar, path, path_len);
@@ -94,10 +94,10 @@ Index: php-8.4.16/ext/phar/util.c
  	etemp.is_crc_checked = 1;
  	etemp.phar = phar;
  	etemp.filename = estrndup(path, path_len);
-Index: php-8.4.16/ext/phar/zip.c
+Index: php-8.4.17/ext/phar/zip.c
 ===================================================================
---- php-8.4.16.orig/ext/phar/zip.c
-+++ php-8.4.16/ext/phar/zip.c
+--- php-8.4.17.orig/ext/phar/zip.c
++++ php-8.4.17/ext/phar/zip.c
 @@ -1251,7 +1251,7 @@ int phar_zip_flush(phar_archive_data *ph
  
  	pass.error = &temperr;

php-sort-filelist-phar.patch

@@ -1,13 +0,0 @@
-Index: php-8.4.1/ext/phar/Makefile.frag
-===================================================================
---- php-8.4.1.orig/ext/phar/Makefile.frag
-+++ php-8.4.1/ext/phar/Makefile.frag
-@@ -45,7 +45,7 @@ $(builddir)/phar.phar: $(builddir)/phar.
- 	if [ "$(TEST_PHP_EXECUTABLE_RES)" != 1 ]; then \
- 		rm -f $(builddir)/phar.phar; \
- 		rm -f $(srcdir)/phar.phar; \
--		$(PHP_PHARCMD_EXECUTABLE) $(PHP_PHARCMD_SETTINGS) $(builddir)/phar.php pack -f $(builddir)/phar.phar -a pharcommand -c auto -p 0 -s $(srcdir)/phar/phar.php -h sha1 -b "$(PHP_PHARCMD_BANG)"  $(srcdir)/phar/; \
-+		$(PHP_PHARCMD_EXECUTABLE) $(PHP_PHARCMD_SETTINGS) $(builddir)/phar.php pack -f $(builddir)/phar.phar -a pharcommand -c auto -p 0 -s $(srcdir)/phar/phar.php -h sha1 -b "$(PHP_PHARCMD_BANG)"  -l 9  $(srcdir)/phar/*.inc; \
- 		chmod +x $(builddir)/phar.phar; \
- 	else \
- 		echo "Skipping phar.phar generating during cross compilation"; \

php8.changes

@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Mon Jan 19 08:21:08 UTC 2026 - Petr Gajdos <pgajdos@suse.com>
+
+- remove a patch, which breaks phar.phar [bsc#1256905]
+  * php-sort-filelist-phar.patch (upstreamed)
+- modified patches
+  * php-build-reproducible-phar.patch (refreshed)
+
+-------------------------------------------------------------------
+Thu Jan 15 19:55:23 UTC 2026 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 8.4.17
+    Core:
+        Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature with dynamic class const lookup default argument).
+        Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing malformed INI input via parse_ini_string()).
+        Fixed bug GH-20714 (Uncatchable exception thrown in generator).
+        Fixed bug GH-20352 (UAF in php_output_handler_free via re-entrant ob_start() during error deactivation).
+    Bz2:
+        Fixed bug GH-20620 (bzcompress overflow on large source size).
+    DOM:
+        Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects).
+        Fixed bug GH-20444 (Dom\XMLDocument::C14N() seems broken compared to DOMDocument::C14N()).
+    GD:
+        Fixed bug GH-20622 (imagestring/imagestringup overflow).
+    Intl:
+        Fix leak in umsg_format_helper().
+    LDAP:
+        Fix memory leak in ldap_set_options().
+    Mbstring:
+        Fixed bug GH-20674 (mb_decode_mimeheader does not handle separator).
+    PCNTL:
+        Fixed bug with pcntl_getcpuaffinity() on solaris regarding invalid process ids handling.
+    Phar:
+        Fixed bug GH-20732 (Phar::LoadPhar undefined behavior when reading fails).
+        Fix SplFileInfo::openFile() in write mode.
+        Fix build on legacy OpenSSL 1.1.0 systems.
+        Fixed bug #74154 (Phar extractTo creates empty files).
+    POSIX:
+        Fixed crash on posix groups to php array creation on macos.
+    SPL:
+        Fixed bug GH-20678 (resource created by GlobIterator crashes with fclose()).
+    Sqlite3:
+        Fixed bug GH-20699 (SQLite3Result fetchArray return array|false, null returned).
+    Standard:
+        Fix error check for proc_open() command.
+        Fix memory leak in mail() when header key is numeric.
+        Fixed bug GH-20582 (Heap Buffer Overflow in iptcembed).
+    Zlib:
+        Fix OOB gzseek() causing assertion failure.
+
 -------------------------------------------------------------------
 Fri Dec 19 07:51:15 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
 
@@ -57,6 +107,9 @@ Fri Dec 19 07:51:15 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
         Don't truncate return value of zip_fread() with user sizes.
     Zlib:
         Fix assertion failures resulting in crashes with stream filter object parameters.
+- fixes CVE-2025-14178 [bsc#1255711]
+        CVE-2025-14180 [bsc#1255712]
+        CVE-2025-14177 [bsc#1255710]
 
 -------------------------------------------------------------------
 Thu Dec 18 09:34:11 UTC 2025 - Petr Gajdos <pgajdos@suse.com>

php8.spec

@@ -1,8 +1,8 @@
 #
 # spec file for package php8
 #
-# Copyright (c) 2025 SUSE LLC
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -58,7 +58,7 @@
 %bcond_without	sodium
 
 Name:           %{pprefix}%{php_name}%{psuffix}
-Version:        8.4.16
+Version:        8.4.17
 Release:        0
 Summary:        Interpreter for the PHP scripting language version 8
 License:        MIT AND PHP-3.01
@@ -90,8 +90,6 @@ Patch3:         php-ini.patch
 Patch4:         php-systzdata-v24.patch
 # adjust upstream systemd unit to SUSE needs
 Patch5:         php-systemd-unit.patch
-# PATCH-FEATURE-OPENSUSE use ordered input files for reproducible /usr/bin/phar.phar
-Patch6:         php-sort-filelist-phar.patch
 ## Bugfix patches
 # should be upstreamed, will do later
 Patch22:        php-date-regenerate-lexers.patch