diff options
author | tron <tron@pkgsrc.org> | 2009-11-30 23:10:19 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2009-11-30 23:10:19 +0000 |
commit | b405486529a892d3ca5ca7ec3f83cabe2a3eb128 (patch) | |
tree | 0d41e8eb1ddc6a0fc9ace6b8a2e25f13c4c128f1 | |
parent | 49281d57e3b595455eb56c99450a9562f94e85fc (diff) | |
download | pkgsrc-b405486529a892d3ca5ca7ec3f83cabe2a3eb128.tar.gz |
Pullup ticket #2939 - requested by taca
php5: security patch
Revisions pulled up:
- lang/php5/Makefile 1.73-1.74
- lang/php5/distinfo 1.69-1.70
- lang/php5/patches/patch-ag 1.3
- lang/php5/patches/patch-ah 1.2
- lang/php5/patches/patch-ay 1.2
- lang/php5/patches/patch-az 1.1-1.2
- lang/php5/patches/patch-ba 1.1
- lang/php5/patches/patch-bb 1.1
- lang/php5/patches/patch-bc 1.1
- lang/php5/patches/patch-bd 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 22 14:49:06 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Added Files:
pkgsrc/lang/php5/patches: patch-az
Log Message:
Add patch to check byte sequence more strictly in htmlspecialchars().
http://bugs.php.net/bug.php?id=49785
These are patch refrects r289411, r289554, r289565, r289567 and r289605
in PHP svn repositry.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 30 06:14:08 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
pkgsrc/lang/php5/patches: patch-ag patch-ah patch-ay patch-az
Added Files:
pkgsrc/lang/php5/patches: patch-ba patch-bb patch-bc patch-bd
Log Message:
Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry.
1. CVE-2009-3292 is already fixed in 5.2.11.
2. CVE-2009-3558
http://svn.php.net/viewvc?view=revision&revision=288934
3. CVE-2009-3557
http://svn.php.net/viewvc?view=revision&revision=288945
http://svn.php.net/viewvc?view=revision&revision=288971
4. CVE-2009-4017
http://svn.php.net/viewvc?view=revision&revision=289990
http://svn.php.net/viewvc?view=revision&revision=290820
http://svn.php.net/viewvc?view=revision&revision=290885
Other pkgsrc changes:
* Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended.
* Add comments to some of patch files.
Bump PKGREVISION.
-rw-r--r-- | lang/php5/Makefile | 19 | ||||
-rw-r--r-- | lang/php5/distinfo | 13 | ||||
-rw-r--r-- | lang/php5/patches/patch-ag | 29 | ||||
-rw-r--r-- | lang/php5/patches/patch-ah | 27 | ||||
-rw-r--r-- | lang/php5/patches/patch-ay | 4 | ||||
-rw-r--r-- | lang/php5/patches/patch-az | 373 | ||||
-rw-r--r-- | lang/php5/patches/patch-ba | 17 | ||||
-rw-r--r-- | lang/php5/patches/patch-bb | 19 | ||||
-rw-r--r-- | lang/php5/patches/patch-bc | 15 | ||||
-rw-r--r-- | lang/php5/patches/patch-bd | 46 |
10 files changed, 538 insertions, 24 deletions
diff --git a/lang/php5/Makefile b/lang/php5/Makefile index 7cecb7ce1a2..3841ac04b04 100644 --- a/lang/php5/Makefile +++ b/lang/php5/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.72 2009/06/09 15:15:07 sketch Exp $ +# $NetBSD: Makefile,v 1.72.4.1 2009/11/30 23:10:19 tron Exp $ PKGNAME= php-${PHP_BASE_VERS} +PKGREVISION= 2 CATEGORIES= lang HOMEPAGE= http://www.php.net/ COMMENT= PHP Hypertext Preprocessor version 5 @@ -36,20 +37,20 @@ MAKE_ENV+= INSTALL_ROOT=${DESTDIR:Q} CONF_FILES= ${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini OWN_DIRS= ${PREFIX}/${PHP_EXTENSION_DIR} -SUBST_CLASSES+= cgi -SUBST_MESSAGE.cgi= Fixing CGI path. -SUBST_STAGE.cgi= pre-configure -SUBST_FILES.cgi= configure -SUBST_SED.cgi= -e 's,@CGIDIR@,${CGIDIR},g' +SUBST_CLASSES+= path +SUBST_MESSAGE.path= Fixing common paths. +SUBST_STAGE.path= pre-configure +SUBST_FILES.path= configure php.ini-dist php.ini-recommended +SUBST_SED.path= -e 's,@CGIDIR@,${CGIDIR},g' +SUBST_SED.path+= -e 's,@PREFIX@,${PREFIX},g' + +INSTALLATION_DIRS+= ${CGIDIR} # Make sure modules can link correctly .if ${OPSYS} == "Darwin" INSTALL_UNSTRIPPED= yes .endif -pre-install: - ${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q} - post-install: ${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \ ${DESTDIR:Q}${PREFIX:Q}/bin/php diff --git a/lang/php5/distinfo b/lang/php5/distinfo index a76873e5c01..ef1b6e9fe46 100644 --- a/lang/php5/distinfo +++ b/lang/php5/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.67.2.1 2009/10/22 21:25:08 tron Exp $ +$NetBSD: distinfo,v 1.67.2.2 2009/11/30 23:10:20 tron Exp $ SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654 @@ -7,8 +7,8 @@ SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2 RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15 Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20 -SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e -SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587 +SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb +SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602 @@ -16,4 +16,9 @@ SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1 -SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc +SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6 +SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756 +SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4 +SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210 +SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7 +SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92 diff --git a/lang/php5/patches/patch-ag b/lang/php5/patches/patch-ag index a2304bc5e11..d24403b2091 100644 --- a/lang/php5/patches/patch-ag +++ b/lang/php5/patches/patch-ag @@ -1,8 +1,21 @@ -$NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $ +$NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $ ---- php.ini-dist.orig 2005-12-30 19:15:55.000000000 +0200 -+++ php.ini-dist 2006-02-05 15:36:13.000000000 +0200 -@@ -457,8 +457,9 @@ +* Ajust for pkgsrc. +* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: + http://svn.php.net/viewvc?view=revision&revision=289990 + +--- php.ini-dist.orig 2009-02-14 01:55:18.000000000 +0900 ++++ php.ini-dist +@@ -471,7 +471,7 @@ default_mimetype = "text/html" + ;;;;;;;;;;;;;;;;;;;;;;;;; + + ; UNIX: "/path1:/path2" +-;include_path = ".:/php/includes" ++include_path = ".:@PREFIX@/lib/php" + ; + ; Windows: "\path1;\path2" + ;include_path = ".;c:\php\includes" +@@ -487,8 +487,9 @@ doc_root = ; if nonempty. user_dir = @@ -14,7 +27,7 @@ $NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -508,7 +509,7 @@ +@@ -546,11 +547,13 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -23,3 +36,9 @@ $NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M + ++; Maximum number of files that can be uploaded via a single request ++max_file_uploads = 100 + + ;;;;;;;;;;;;;;;;;; + ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ah b/lang/php5/patches/patch-ah index 6d2b7dd9bb8..5d4f73c3cec 100644 --- a/lang/php5/patches/patch-ah +++ b/lang/php5/patches/patch-ah @@ -1,8 +1,21 @@ -$NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $ +$NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $ ---- php.ini-recommended.orig 2005-11-15 00:14:23.000000000 +0100 +* Ajust for pkgsrc. +* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: + http://svn.php.net/viewvc?view=revision&revision=289990 + +--- php.ini-recommended.orig 2009-03-02 13:44:35.000000000 +0900 +++ php.ini-recommended -@@ -515,8 +515,9 @@ doc_root = +@@ -522,7 +522,7 @@ default_mimetype = "text/html" + ;;;;;;;;;;;;;;;;;;;;;;;;; + + ; UNIX: "/path1:/path2" +-;include_path = ".:/php/includes" ++include_path = ".:@PREFIX@/lib/php" + ; + ; Windows: "\path1;\path2" + ;include_path = ".;c:\php\includes" +@@ -538,8 +538,9 @@ doc_root = ; if nonempty. user_dir = @@ -14,7 +27,7 @@ $NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -566,7 +567,7 @@ file_uploads = On +@@ -597,11 +598,13 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -23,3 +36,9 @@ $NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M + ++; Maximum number of files that can be uploaded via a single request ++max_file_uploads = 100 + + ;;;;;;;;;;;;;;;;;; + ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ay b/lang/php5/patches/patch-ay index 8b841ef5fdc..2d6c27d875f 100644 --- a/lang/php5/patches/patch-ay +++ b/lang/php5/patches/patch-ay @@ -1,7 +1,7 @@ -$NetBSD: patch-ay,v 1.1.2.2 2009/10/22 21:25:08 tron Exp $ +$NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $ * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 - from PHP's SVN repositry r289557. + http://svn.php.net/viewvc?view=revision&revision=289557 --- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900 +++ ext/gd/libgd/gd_gd.c diff --git a/lang/php5/patches/patch-az b/lang/php5/patches/patch-az new file mode 100644 index 00000000000..184f591054b --- /dev/null +++ b/lang/php5/patches/patch-az @@ -0,0 +1,373 @@ +$NetBSD$ + +* Fix for htmlspecialchars(): + http://svn.php.net/viewvc?view=revision&revision=289411 + http://svn.php.net/viewvc?view=revision&revision=289554 + http://svn.php.net/viewvc?view=revision&revision=289565 + http://svn.php.net/viewvc?view=revision&revision=289567 + http://svn.php.net/viewvc?view=revision&revision=289605 + +--- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900 ++++ ext/standard/html.c +@@ -484,15 +484,31 @@ struct basic_entities_dec { + } \ + mbseq[mbpos++] = (mbchar); } + +-#define CHECK_LEN(pos, chars_need) \ +- if((str_len - (pos)) < chars_need) { \ +- *status = FAILURE; \ +- return 0; \ ++/* skip one byte and return */ ++#define MB_FAILURE(pos) do { \ ++ *newpos = pos + 1; \ ++ *status = FAILURE; \ ++ return 0; \ ++ } while (0) ++ ++#define CHECK_LEN(pos, chars_need) \ ++ if (chars_need < 1) { \ ++ if((str_len - (pos)) < chars_need) { \ ++ *newpos = pos; \ ++ *status = FAILURE; \ ++ return 0; \ ++ } \ ++ } else { \ ++ if((str_len - (pos)) < chars_need) { \ ++ *newpos = pos + 1; \ ++ *status = FAILURE; \ ++ return 0; \ ++ } \ + } + + /* {{{ get_next_char + */ +-inline static unsigned short get_next_char(enum entity_charset charset, ++inline static unsigned int get_next_char(enum entity_charset charset, + unsigned char * str, + int str_len, + int * newpos, +@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch + int pos = *newpos; + int mbpos = 0; + int mbspace = *mbseqlen; +- unsigned short this_char = str[pos++]; ++ unsigned int this_char = 0; + unsigned char next_char; + + *status = SUCCESS; +- ++ + if (mbspace <= 0) { + *mbseqlen = 0; +- return this_char; ++ CHECK_LEN(pos, 1); ++ *newpos = pos + 1; ++ *newpos = pos + 1; + } +- +- MB_WRITE((unsigned char)this_char); +- ++ + switch (charset) { + case cs_utf_8: + { +- unsigned long utf = 0; +- int stat = 0; +- int more = 1; +- +- /* unpack utf-8 encoding into a wide char. +- * Code stolen from the mbstring extension */ +- +- do { +- if (this_char < 0x80) { +- more = 0; +- if(stat) { +- /* we didn't finish the UTF sequence correctly */ +- *status = FAILURE; +- } +- break; +- } else if (this_char < 0xc0) { +- switch (stat) { +- case 0x10: /* 2, 2nd */ +- case 0x21: /* 3, 3rd */ +- case 0x32: /* 4, 4th */ +- case 0x43: /* 5, 5th */ +- case 0x54: /* 6, 6th */ +- /* last byte in sequence */ +- more = 0; +- utf |= (this_char & 0x3f); +- this_char = (unsigned short)utf; +- break; +- case 0x20: /* 3, 2nd */ +- case 0x31: /* 4, 3rd */ +- case 0x42: /* 5, 4th */ +- case 0x53: /* 6, 5th */ +- /* penultimate char */ +- utf |= ((this_char & 0x3f) << 6); +- stat++; +- break; +- case 0x30: /* 4, 2nd */ +- case 0x41: /* 5, 3rd */ +- case 0x52: /* 6, 4th */ +- utf |= ((this_char & 0x3f) << 12); +- stat++; +- break; +- case 0x40: /* 5, 2nd */ +- case 0x51: +- utf |= ((this_char & 0x3f) << 18); +- stat++; +- break; +- case 0x50: /* 6, 2nd */ +- utf |= ((this_char & 0x3f) << 24); +- stat++; +- break; +- default: +- /* invalid */ +- *status = FAILURE; +- more = 0; +- } +- } +- /* lead byte */ +- else if (this_char < 0xe0) { +- stat = 0x10; /* 2 byte */ +- utf = (this_char & 0x1f) << 6; +- CHECK_LEN(pos, 1); +- } else if (this_char < 0xf0) { +- stat = 0x20; /* 3 byte */ +- utf = (this_char & 0xf) << 12; +- CHECK_LEN(pos, 2); +- } else if (this_char < 0xf8) { +- stat = 0x30; /* 4 byte */ +- utf = (this_char & 0x7) << 18; +- CHECK_LEN(pos, 3); +- } else if (this_char < 0xfc) { +- stat = 0x40; /* 5 byte */ +- utf = (this_char & 0x3) << 24; +- CHECK_LEN(pos, 4); +- } else if (this_char < 0xfe) { +- stat = 0x50; /* 6 byte */ +- utf = (this_char & 0x1) << 30; +- CHECK_LEN(pos, 5); +- } else { +- /* invalid; bail */ +- more = 0; +- *status = FAILURE; +- break; ++ unsigned char c; ++ CHECK_LEN(pos, 1); ++ c = str[pos]; ++ if (c < 0x80) { ++ MB_WRITE(c); ++ this_char = c; ++ pos++; ++ } else if (c < 0xc0) { ++ MB_FAILURE(pos); ++ } else if (c < 0xe0) { ++ CHECK_LEN(pos, 2); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); + } +- +- if (more) { +- this_char = str[pos++]; +- MB_WRITE((unsigned char)this_char); ++ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); ++ if (this_char < 0x80) { ++ MB_FAILURE(pos); + } +- } while (more); ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ pos += 2; ++ } else if (c < 0xf0) { ++ CHECK_LEN(pos, 3); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); ++ if (this_char < 0x800) { ++ MB_FAILURE(pos); ++ } ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ MB_WRITE((unsigned char)str[pos + 2]); ++ pos += 3; ++ } else if (c < 0xf8) { ++ CHECK_LEN(pos, 4); ++ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) { ++ MB_FAILURE(pos); ++ } ++ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); ++ if (this_char < 0x10000) { ++ MB_FAILURE(pos); ++ } ++ MB_WRITE((unsigned char)c); ++ MB_WRITE((unsigned char)str[pos + 1]); ++ MB_WRITE((unsigned char)str[pos + 2]); ++ MB_WRITE((unsigned char)str[pos + 3]); ++ pos += 4; ++ } else { ++ MB_FAILURE(pos); ++ } + } + break; + case cs_big5: + case cs_gb2312: + case cs_big5hkscs: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a 2-byte sequence */ +- if (this_char >= 0xa1 && this_char <= 0xfe) { ++ if (this_char >= 0x81 && this_char <= 0xfe) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0xa1 && next_char <= 0xfe)) { + /* yes, this a wide char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } +- break; + } ++ break; + case cs_sjis: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a 2-byte sequence */ +- if ( (this_char >= 0x81 && this_char <= 0x9f) || +- (this_char >= 0xe0 && this_char <= 0xef) +- ) { ++ if ((this_char >= 0x81 && this_char <= 0x9f) || ++ (this_char >= 0xe0 && this_char <= 0xfc)) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if ((next_char >= 0x40 && next_char <= 0x7e) || + (next_char >= 0x80 && next_char <= 0xfc)) + { + /* yes, this a wide char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } + break; + } + case cs_eucjp: + { ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; + /* check if this is the first of a multi-byte sequence */ + if (this_char >= 0xa1 && this_char <= 0xfe) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if (next_char >= 0xa1 && next_char <= 0xfe) { + /* yes, this a jis kanji char */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- + } else if (this_char == 0x8e) { + /* peek at the next char */ + CHECK_LEN(pos, 1); +- next_char = str[pos]; ++ next_char = str[pos++]; + if (next_char >= 0xa1 && next_char <= 0xdf) { + /* JIS X 0201 kana */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; ++ this_char = (this_char << 8) | next_char; ++ } else { ++ MB_FAILURE(pos); + } +- + } else if (this_char == 0x8f) { + /* peek at the next two char */ + unsigned char next2_char; + CHECK_LEN(pos, 2); + next_char = str[pos]; +- next2_char = str[pos+1]; ++ next2_char = str[pos + 1]; ++ pos += 2; + if ((next_char >= 0xa1 && next_char <= 0xfe) && + (next2_char >= 0xa1 && next2_char <= 0xfe)) { + /* JIS X 0212 hojo-kanji */ +- this_char <<= 8; ++ MB_WRITE(this_char); + MB_WRITE(next_char); +- this_char |= next_char; +- pos++; +- this_char <<= 8; + MB_WRITE(next2_char); +- this_char |= next2_char; +- pos++; ++ this_char = (this_char << 16) | (next_char << 8) | next2_char; ++ } else { ++ MB_FAILURE(pos); + } +- ++ } else { ++ MB_WRITE(this_char); + } + break; + } + default: ++ /* single-byte charsets */ ++ CHECK_LEN(pos, 1); ++ this_char = str[pos++]; ++ MB_WRITE(this_char); + break; + } + MB_RETURN; +@@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex + unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ + int mbseqlen = sizeof(mbsequence); + int status = SUCCESS; +- unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); ++ unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); + + if(status == FAILURE) { + /* invalid MB sequence */ diff --git a/lang/php5/patches/patch-ba b/lang/php5/patches/patch-ba new file mode 100644 index 00000000000..36f0ac78796 --- /dev/null +++ b/lang/php5/patches/patch-ba @@ -0,0 +1,17 @@ +$NetBSD: patch-ba,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558: + http://svn.php.net/viewvc?view=revision&revision=288934 + +--- ext/posix/posix.c.orig 2009-08-06 20:11:15.000000000 +0900 ++++ ext/posix/posix.c +@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo) + RETURN_FALSE; + } + +- if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { ++ if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || ++ (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { + RETURN_FALSE; + } + diff --git a/lang/php5/patches/patch-bb b/lang/php5/patches/patch-bb new file mode 100644 index 00000000000..07c69816914 --- /dev/null +++ b/lang/php5/patches/patch-bb @@ -0,0 +1,19 @@ +$NetBSD: patch-bb,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557: + http://svn.php.net/viewvc?view=revision&revision=288945 + http://svn.php.net/viewvc?view=revision&revision=288971 + +--- ext/standard/file.c.orig 2009-11-30 10:04:51.000000000 +0900 ++++ ext/standard/file.c +@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam) + convert_to_string_ex(arg1); + convert_to_string_ex(arg2); + ++ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { ++ RETURN_FALSE; ++ } ++ + if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { + RETURN_FALSE; + } diff --git a/lang/php5/patches/patch-bc b/lang/php5/patches/patch-bc new file mode 100644 index 00000000000..6377089a28a --- /dev/null +++ b/lang/php5/patches/patch-bc @@ -0,0 +1,15 @@ +$NetBSD: patch-bc,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: + http://svn.php.net/viewvc?view=revision&revision=289990 + +--- main/main.c.orig 2009-11-30 10:04:51.000000000 +0900 ++++ main/main.c +@@ -455,6 +455,7 @@ PHP_INI_BEGIN() + PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) + PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) ++ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) + + STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) + STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/lang/php5/patches/patch-bd b/lang/php5/patches/patch-bd new file mode 100644 index 00000000000..7032c8ee22b --- /dev/null +++ b/lang/php5/patches/patch-bd @@ -0,0 +1,46 @@ +$NetBSD: patch-bd,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ + +Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: + http://svn.php.net/viewvc?view=revision&revision=289990 + http://svn.php.net/viewvc?view=revision&revision=290820 + http://svn.php.net/viewvc?view=revision&revision=290885 + +--- main/rfc1867.c.orig 2008-12-31 20:17:49.000000000 +0900 ++++ main/rfc1867.c +@@ -32,6 +32,7 @@ + #include "php_globals.h" + #include "php_variables.h" + #include "rfc1867.h" ++#include "php_ini.h" + + #define DEBUG_FILE_UPLOAD ZEND_DEBUG + +@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ + zend_llist header; + void *event_extra_data = NULL; + int llen = 0; ++ int upload_cnt = INI_INT("max_file_uploads"); + +- if (SG(request_info).content_length > SG(post_max_size)) { ++ if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { + sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); + return; + } +@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ + /* If file_uploads=off, skip the file part */ + if (!PG(file_uploads)) { + skip_upload = 1; ++ } else if (upload_cnt <= 0) { ++ skip_upload = 1; ++ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); + } + + /* Return with an error if the posted data is garbled */ +@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ + if (!skip_upload) { + /* Handle file */ + fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); ++ upload_cnt--; + if (fd==-1) { + sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); + cancel_upload = UPLOAD_ERROR_E; |