Add a patch to fix CVE-2011-1144 (and a few bug fixes).

Bump PKGREVISION.

3 files changed, 150 insertions, 3 deletions

diff --git a/lang/pear/Makefile b/lang/pear/Makefile
index d6559519ebf..bdf7b156b52 100644
--- a/lang/pear/Makefile
+++ b/lang/pear/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.16 2011/03/23 14:59:33 taca Exp $
+# $NetBSD: Makefile,v 1.17 2011/05/16 13:05:01 taca Exp $
 #
 
 DISTNAME=	PEAR-1.9.2
 PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME:S/PEAR/pear/}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	lang
 MASTER_SITES=	http://download.pear.php.net/package/
 EXTRACT_SUFX=	.tgz
diff --git a/lang/pear/distinfo b/lang/pear/distinfo
index abe8d357fd7..6703a83af05 100644
--- a/lang/pear/distinfo
+++ b/lang/pear/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2011/03/23 14:59:33 taca Exp $
+$NetBSD: distinfo,v 1.9 2011/05/16 13:05:01 taca Exp $
 
 SHA1 (Archive_Tar-1.3.7.tgz) = 5b35a8c3bfa34ba8b29c5208f8f37504d0ce280c
 RMD160 (Archive_Tar-1.3.7.tgz) = 0b018556bf4d916440e0e661e714986edd728de2
@@ -12,4 +12,5 @@ Size (PEAR-1.9.2.tgz) = 295120 bytes
 SHA1 (Structures_Graph-1.0.4.tgz) = 00f5c2aefad0c3f6490e5ca95da87828e64ebc57
 RMD160 (Structures_Graph-1.0.4.tgz) = d236ddff4a31cafa6fa750b4ec4a0849c48ad3f6
 Size (Structures_Graph-1.0.4.tgz) = 30318 bytes
+SHA1 (patch-PEAR_REST.php) = 996afa4ed9ca2d041dab2cb5dbf4bfdeb3fc9ec6
 SHA1 (patch-aa) = 6de18a37aa927f7c84f31bdad9ce7f813ea3ee4e
diff --git a/lang/pear/patches/patch-PEAR_REST.php b/lang/pear/patches/patch-PEAR_REST.php
new file mode 100644
index 00000000000..d5b46d6f3dc
--- /dev/null
+++ b/lang/pear/patches/patch-PEAR_REST.php
@@ -0,0 +1,146 @@
+$NetBSD: patch-PEAR_REST.php,v 1.1 2011/05/16 13:05:01 taca Exp $
+
+* Update to r309592 in PEAR's repository, fixing CVE-2011-1144.
+
+--- PEAR/REST.php.orig	2011-02-28 17:48:36.000000000 +0000
++++ PEAR/REST.php
+@@ -102,7 +102,7 @@ class PEAR_REST
+                 // reset the age of the cache if the server says it was unmodified
+                 $result = $this->saveCache($url, $ret, null, true, $cacheId);
+                 if (PEAR::isError($result)) {
+-                    return PEAR::raiseErro($result->getMessage());
++                    return PEAR::raiseError($result->getMessage());
+                 }
+             }
+ 
+@@ -122,7 +122,7 @@ class PEAR_REST
+         if ($forcestring) {
+             $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId);
+             if (PEAR::isError($result)) {
+-                return PEAR::raiseErro($result->getMessage());
++                return PEAR::raiseError($result->getMessage());
+             }
+ 
+             return $content;
+@@ -162,7 +162,7 @@ class PEAR_REST
+ 
+         $result = $this->saveCache($url, $content, $lastmodified, false, $cacheId);
+         if (PEAR::isError($result)) {
+-            return PEAR::raiseErro($result->getMessage());
++            return PEAR::raiseError($result->getMessage());
+         }
+ 
+         return $content;
+@@ -228,59 +228,75 @@ class PEAR_REST
+         $cacheidfile = $d . 'rest.cacheid';
+         $cachefile   = $d . 'rest.cachefile';
+ 
++        if (!is_dir($cache_dir)) {
++            if (System::mkdir(array('-p', $cache_dir)) === false) {
++              return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed.");
++            }
++        }
++
+         if ($cacheid === null && $nochange) {
+             $cacheid = unserialize(implode('', file($cacheidfile)));
+         }
+ 
+-        if (is_link($cacheidfile)) {
+-            return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
+-        }
++        $idData = serialize(array(
++            'age'        => time(),
++            'lastChange' => ($nochange ? $cacheid['lastChange'] : $lastmodified),
++        ));
+ 
+-        if (is_link($cachefile)) {
+-            return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack');
++        $result = $this->saveCacheFile($cacheidfile, $idData);
++        if (PEAR::isError($result)) {
++            return $result;
++        } elseif ($nochange) {
++            return true;
+         }
+ 
+-        $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+-        if (!$cacheidfile_fp) {
+-            if (is_dir($cache_dir)) {
+-                return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. ");
++        $result = $this->saveCacheFile($cachefile, serialize($contents));
++        if (PEAR::isError($result)) {
++            if (file_exists($cacheidfile)) {
++              @unlink($cacheidfile);
+             }
+ 
+-            System::mkdir(array('-p', $cache_dir));
+-            $cacheidfile_fp = @fopen($cacheidfile, 'wb');
+-            if (!$cacheidfile_fp) {
+-                return PEAR::raiseError("Could not open $cacheidfile for writing.");
+-            }
++            return $result;
+         }
+ 
+-        if ($nochange) {
+-            fwrite($cacheidfile_fp, serialize(array(
+-                'age'        => time(),
+-                'lastChange' => $cacheid['lastChange'],
+-                ))
+-            );
+-
+-            fclose($cacheidfile_fp);
+-            return true;
+-        }
++        return true;
++    }
+ 
+-        fwrite($cacheidfile_fp, serialize(array(
+-            'age'        => time(),
+-            'lastChange' => $lastmodified,
+-            ))
+-        );
+-        fclose($cacheidfile_fp);
++    function saveCacheFile($file, $contents)
++    {
++        $len = strlen($contents);
+ 
+-        $cachefile_fp = @fopen($cachefile, 'wb');
+-        if (!$cachefile_fp) {
+-            if (file_exists($cacheidfile)) {
+-                @unlink($cacheidfile);
++        $cachefile_fp = @fopen($file, 'xb'); // x is the O_CREAT|O_EXCL mode
++        if ($cachefile_fp !== false) { // create file
++            if (fwrite($cachefile_fp, $contents, $len) < $len) {
++                fclose($cachefile_fp);
++                return PEAR::raiseError("Could not write $file.");
++            }
++        } else { // update file
++            $cachefile_lstat = lstat($file);
++            $cachefile_fp = @fopen($file, 'wb');
++            if (!$cachefile_fp) {
++                return PEAR::raiseError("Could not open $file for writing.");
++            }
++
++            $cachefile_fstat = fstat($cachefile_fp);
++            if (
++              $cachefile_lstat['mode'] == $cachefile_fstat['mode'] &&
++              $cachefile_lstat['ino']  == $cachefile_fstat['ino'] &&
++              $cachefile_lstat['dev']  == $cachefile_fstat['dev'] &&
++              $cachefile_fstat['nlink'] === 1
++            ) {
++                if (fwrite($cachefile_fp, $contents, $len) < $len) {
++                    fclose($cachefile_fp);
++                    return PEAR::raiseError("Could not write $file.");
++                }
++            } else {
++                fclose($cachefile_fp);
++                $link = function_exists('readlink') ? readlink($file) : $file;
++                return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $file . ' as it is symlinked to ' . $link . ' - Possible symlink attack');
+             }
+-
+-            return PEAR::raiseError("Could not open $cacheidfile for writing.");
+         }
+ 
+-        fwrite($cachefile_fp, serialize($contents));
+         fclose($cachefile_fp);
+         return true;
+     }