Version in base suite: 9.6.7-1

Base version: phpunit_9.6.7-1
Target version: phpunit_9.6.7-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/phpunit/phpunit_9.6.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/phpunit/phpunit_9.6.7-1+deb12u1.dsc

 changelog                                                               |    8 
 clean                                                                   |    1 
 control                                                                 |    2 
 gbp.conf                                                                |    2 
 patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch |  142 ++++++++++
 patches/series                                                          |    1 
 rules                                                                   |    3 
 tests/control                                                           |    2 
 8 files changed, 158 insertions(+), 3 deletions(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpcwgm8mx6/phpunit_9.6.7-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpcwgm8mx6/phpunit_9.6.7-1+deb12u1.dsc: no acceptable signature found
diff -Nru phpunit-9.6.7/debian/changelog phpunit-9.6.7/debian/changelog
--- phpunit-9.6.7/debian/changelog	2023-04-15 06:00:46.000000000 +0000
+++ phpunit-9.6.7/debian/changelog	2026-01-29 07:02:08.000000000 +0000
@@ -1,3 +1,11 @@
+phpunit (9.6.7-1+deb12u1) bookworm; urgency=medium
+
+  * Track debian/bookworm-security
+  * Fix Unsafe Deserialization in PHPT Code Coverage Handling [CVE-2026-24765]
+  * Workaround empty file not added by patch
+
+ -- David Prévot <taffit@debian.org>  Thu, 29 Jan 2026 08:02:08 +0100
+
 phpunit (9.6.7-1) unstable; urgency=medium
 
   [ Sebastian Bergmann ]
diff -Nru phpunit-9.6.7/debian/clean phpunit-9.6.7/debian/clean
--- phpunit-9.6.7/debian/clean	2022-06-18 13:37:38.000000000 +0000
+++ phpunit-9.6.7/debian/clean	2026-01-29 07:02:08.000000000 +0000
@@ -8,6 +8,7 @@
 tests/_files/.phpunit.result.cache
 tests/_files/*/.phpunit.result.cache
 tests/basic/.phpunit.result.cache
+tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
 tests/end-to-end/force-covers-annotation/.phpunit.result.cache
 tests/end-to-end/*/*/.phpunit.result.cache
 tests/end-to-end/regression/GitHub/*/.phpunit.result.cache
diff -Nru phpunit-9.6.7/debian/control phpunit-9.6.7/debian/control
--- phpunit-9.6.7/debian/control	2023-03-30 05:29:42.000000000 +0000
+++ phpunit-9.6.7/debian/control	2026-01-29 07:02:08.000000000 +0000
@@ -28,7 +28,7 @@
                pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/bookworm
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpunit.git -b debian/bookworm-security
 Vcs-Browser: https://salsa.debian.org/php-team/pear/phpunit
 Homepage: https://phpunit.de/
 
diff -Nru phpunit-9.6.7/debian/gbp.conf phpunit-9.6.7/debian/gbp.conf
--- phpunit-9.6.7/debian/gbp.conf	2023-03-30 05:29:42.000000000 +0000
+++ phpunit-9.6.7/debian/gbp.conf	2026-01-29 07:02:08.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
 filter = [ '.gitattributes', 'tools' ]
 pristine-tar = True
 upstream-branch = upstream-9
diff -Nru phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch
--- phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch	1970-01-01 00:00:00.000000000 +0000
+++ phpunit-9.6.7/debian/patches/0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch	2026-01-29 07:02:08.000000000 +0000
@@ -0,0 +1,142 @@
+From: Sebastian Bergmann <sb@sebastian-bergmann.de>
+Date: Mon, 26 Jan 2026 17:37:32 +0100
+Subject: Do not run PHPT test when its temporary file for code coverage
+ information exists
+
+Origin: backport, https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda
+Bug: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-24765
+---
+ src/Runner/PhptTestCase.php                        | 57 ++++++++++++++++++----
+ .../_files/phpt-coverage-file-exists/test.coverage |  0
+ .../_files/phpt-coverage-file-exists/test.phpt     |  7 +++
+ .../end-to-end/phpt/phpt-coverage-file-exists.phpt | 13 +++++
+ 4 files changed, 67 insertions(+), 10 deletions(-)
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+ create mode 100644 tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+ create mode 100644 tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+
+diff --git a/src/Runner/PhptTestCase.php b/src/Runner/PhptTestCase.php
+index 6590102..c9edd42 100644
+--- a/src/Runner/PhptTestCase.php
++++ b/src/Runner/PhptTestCase.php
+@@ -19,6 +19,7 @@ use function dirname;
+ use function explode;
+ use function extension_loaded;
+ use function file;
++use function file_exists;
+ use function file_get_contents;
+ use function file_put_contents;
+ use function is_array;
+@@ -87,17 +88,13 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+      */
+     public function __construct(string $filename, AbstractPhpProcess $phpUtil = null)
+     {
+-        if (!is_file($filename)) {
+-            throw new Exception(
+-                sprintf(
+-                    'File "%s" does not exist.',
+-                    $filename
+-                )
+-            );
+-        }
++        $this->ensureFileExists($filename);
+ 
+         $this->filename = $filename;
+-        $this->phpUtil  = $phpUtil ?: AbstractPhpProcess::factory();
++
++        $this->ensureCoverageFileDoesNotExist();
++
++        $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory();
+     }
+ 
+     /**
+@@ -655,7 +652,14 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+             $buffer = @file_get_contents($files['coverage']);
+ 
+             if ($buffer !== false) {
+-                $coverage = @unserialize($buffer);
++                $coverage = @unserialize(
++                    $buffer,
++                    [
++                        'allowed_classes' => [
++                            RawCodeCoverageData::class,
++                        ],
++                    ],
++                );
+ 
+                 if ($coverage === false) {
+                     $coverage = RawCodeCoverageData::fromXdebugWithoutPathCoverage([]);
+@@ -861,4 +865,37 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
+ 
+         return $settings;
+     }
++
++    /**
++     * @throws Exception
++     */
++    private function ensureFileExists(string $filename): void
++    {
++        if (!is_file($filename)) {
++            throw new Exception(
++                sprintf(
++                    'File "%s" does not exist.',
++                    $filename,
++                ),
++            );
++        }
++    }
++
++    /**
++     * @throws Exception
++     */
++    private function ensureCoverageFileDoesNotExist(): void
++    {
++        $files = $this->getCoverageFiles();
++
++        if (file_exists($files['coverage'])) {
++            throw new Exception(
++                sprintf(
++                    'File %s exists, PHPT test %s will not be executed',
++                    $files['coverage'],
++                    $this->filename,
++                ),
++            );
++        }
++    }
+ }
+diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+new file mode 100644
+index 0000000..e69de29
+diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+new file mode 100644
+index 0000000..0a5b252
+--- /dev/null
++++ b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
+@@ -0,0 +1,7 @@
++--TEST--
++test
++--FILE--
++<?php declare(strict_types=1);
++print 'test';
++--EXPECT--
++test
+diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+new file mode 100644
+index 0000000..c05438b
+--- /dev/null
++++ b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Error when code coverage file exists
++--FILE--
++<?php declare(strict_types=1);
++$_SERVER['argv'][] = '--do-not-cache-result';
++$_SERVER['argv'][] = '--no-configuration';
++$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
++
++require_once __DIR__ . '/../../bootstrap.php';
++
++PHPUnit\TextUI\Command::main();
++--EXPECTF--
++Fatal error: Uncaught PHPUnit\Runner\Exception: File %stest.coverage exists, PHPT test %stest.phpt will not be executed%A
diff -Nru phpunit-9.6.7/debian/patches/series phpunit-9.6.7/debian/patches/series
--- phpunit-9.6.7/debian/patches/series	2023-04-15 05:58:07.000000000 +0000
+++ phpunit-9.6.7/debian/patches/series	2026-01-29 07:02:08.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Remove-Composer-autoload.patch
 0002-schema-is-installed-in-usr-share-php-data-PHPUnit.patch
 0003-Default-cache-location-to-current-directory.patch
+0004-Do-not-run-PHPT-test-when-its-temporary-file-for-cod.patch
diff -Nru phpunit-9.6.7/debian/rules phpunit-9.6.7/debian/rules
--- phpunit-9.6.7/debian/rules	2023-03-30 05:29:42.000000000 +0000
+++ phpunit-9.6.7/debian/rules	2026-01-29 07:02:08.000000000 +0000
@@ -35,6 +35,9 @@
 	# Mimic phpunit.xsd path
 	ln -s .. data/PHPUnit
 
+	# Workaround empty file not added by patch
+	touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
+
 override_dh_auto_clean:
 
 override_dh_auto_test:
diff -Nru phpunit-9.6.7/debian/tests/control phpunit-9.6.7/debian/tests/control
--- phpunit-9.6.7/debian/tests/control	2023-03-30 05:29:42.000000000 +0000
+++ phpunit-9.6.7/debian/tests/control	2026-01-29 07:02:08.000000000 +0000
@@ -1,3 +1,3 @@
-Test-Command: mkdir -p vendor && phpabtpl --require phpunit/phpunit --require-file ../tests/_files/CoverageNamespacedFunctionTest.php --require-file ../tests/_files/CoveredFunction.php --require-file ../tests/_files/NamespaceCoveredFunction.php > debian/autoload.tests.php.tpl && phpab --output vendor/autoload.php --template debian/autoload.tests.php.tpl --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/src/Greeter.php --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/tests/GreeterTest.php --exclude tests/end-to-end/regression/2448/Test.php --exclude tests/end-to-end/regression/4376/tests/Test.php tests && phpunit
+Test-Command: mkdir -p vendor && phpabtpl --require phpunit/phpunit --require-file ../tests/_files/CoverageNamespacedFunctionTest.php --require-file ../tests/_files/CoveredFunction.php --require-file ../tests/_files/NamespaceCoveredFunction.php > debian/autoload.tests.php.tpl && phpab --output vendor/autoload.php --template debian/autoload.tests.php.tpl --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/src/Greeter.php --exclude tests/end-to-end/migration/_files/possibility-to-migrate-from-92-is-detected/tests/GreeterTest.php --exclude tests/end-to-end/regression/2448/Test.php --exclude tests/end-to-end/regression/4376/tests/Test.php tests && touch tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage && phpunit
 Restrictions: rw-build-tree, allow-stderr
 Depends: php-soap, phpab, pkg-php-tools (>= 1.41~), @