diff options
author | taca <taca> | 2011-06-15 14:41:16 +0000 |
---|---|---|
committer | taca <taca> | 2011-06-15 14:41:16 +0000 |
commit | 48e58cae74debbae158c641f5fdc9e2a7e7b308f (patch) | |
tree | b1b95651785edef3502aa03e061a7c8d0924fc0b /lang/php53/patches | |
parent | 133ad7cad417ffc90397982e5d6dd2d65c0d5281 (diff) | |
download | pkgsrc-48e58cae74debbae158c641f5fdc9e2a7e7b308f.tar.gz |
Add two security fix, CVE-2011-1938 and filename-injection from PHP 5.3's
repository.
Bump PKGREVISION.
Diffstat (limited to 'lang/php53/patches')
-rw-r--r-- | lang/php53/patches/patch-ext_sockets_sockets.c | 18 | ||||
-rw-r--r-- | lang/php53/patches/patch-main_rfc1867.c | 24 |
2 files changed, 42 insertions, 0 deletions
diff --git a/lang/php53/patches/patch-ext_sockets_sockets.c b/lang/php53/patches/patch-ext_sockets_sockets.c new file mode 100644 index 00000000000..5df4f25324a --- /dev/null +++ b/lang/php53/patches/patch-ext_sockets_sockets.c @@ -0,0 +1,18 @@ +$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:42:03 taca Exp $ + +* Update of r311369 of PHP's repository, fix for CVE-2011-1938. + +--- ext/sockets/sockets.c.orig 2011-01-01 02:19:59.000000000 +0000 ++++ ext/sockets/sockets.c +@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect) + break; + + case AF_UNIX: ++ if (addr_len >= sizeof(s_un.sun_path)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); ++ RETURN_FALSE; ++ } ++ + memset(&s_un, 0, sizeof(struct sockaddr_un)); + + s_un.sun_family = AF_UNIX; diff --git a/lang/php53/patches/patch-main_rfc1867.c b/lang/php53/patches/patch-main_rfc1867.c new file mode 100644 index 00000000000..4d0e54edc84 --- /dev/null +++ b/lang/php53/patches/patch-main_rfc1867.c @@ -0,0 +1,24 @@ +$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:42:03 taca Exp $ + +* Update of r312103 of PHP's repository, fix filename-injection vulnerability. + +--- main/rfc1867.c.orig 2011-01-19 13:09:05.000000000 +0000 ++++ main/rfc1867.c +@@ -1223,7 +1223,7 @@ filedone: + #endif + + if (!is_anonymous) { +- if (s && s > filename) { ++ if (s && s >= filename) { + safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); + } else { + safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); +@@ -1236,7 +1236,7 @@ filedone: + } else { + snprintf(lbuf, llen, "%s[name]", param); + } +- if (s && s > filename) { ++ if (s && s >= filename) { + register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); + } else { + register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); |