Add patch for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670.

Bump PKGREVISION.
author: taca <taca@pkgsrc.org> 2014-10-23 16:18:47 +0000
committer: taca <taca@pkgsrc.org> 2014-10-23 16:18:47 +0000
commit: 3158c255c81f6f43fd51b60e396eb86fc5e8a367 (patch)
tree: 642c22de7d3f0c58b1a3d8f6e11126308c0bf177 /lang/php53
parent: 946dcbc5bedff4395819f6b7911125f4daec08af (diff)
download: pkgsrc-3158c255c81f6f43fd51b60e396eb86fc5e8a367.tar.gz
6 files changed, 112 insertions, 2 deletions
diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index 87eae647d8d..eb41fdb1870 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.49 2014/08/15 16:09:16 taca Exp $
+# $NetBSD: Makefile,v 1.50 2014/10/23 16:18:47 taca Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php53/distinfo b/lang/php53/distinfo
index fbc6cf3ac01..648c8f04c50 100644
--- a/lang/php53/distinfo
+++ b/lang/php53/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.76 2014/08/15 16:09:16 taca Exp $
+$NetBSD: distinfo,v 1.77 2014/10/23 16:18:47 taca Exp $
 
 SHA1 (php-5.3.29.tar.bz2) = 6e9e492c6d5853d063ddb9a4dbef60b8e5d87444
 RMD160 (php-5.3.29.tar.bz2) = e57beb4fdda41bca81b5856161bc97f3c5e3e9da
@@ -19,8 +19,12 @@ SHA1 (patch-ai) = 9659f73eef1b4fcca9b844bdaa785ac6d5e582a1
 SHA1 (patch-aj) = 181658ae523bd60f67750566711fc078b49191b7
 SHA1 (patch-al) = fe534d7d50a529e3c7d0ffed76afdb70bb55a521
 SHA1 (patch-build_libtool.m4) = 6835b90ebd34739440c8eb94ed19ebacdf2ba6a5
+SHA1 (patch-ext_exif_exif.c) = c78249a8ffae00bbdece2af9058e4ecf11cb0fa6
 SHA1 (patch-ext_gd_libgd_gdxpm.c) = 9a175417fad9ac23037a24122f8d1258b9eebbcb
 SHA1 (patch-ext_standard_basic__functions.c) = 017fd25e646af4d7eb2a0bd13b3c8da34eaee8c5
+SHA1 (patch-ext_standard_var__unserializer.c) = eb590c1d5349320e45bbdaf97c875b11eb275cfb
+SHA1 (patch-ext_standard_var__unserializer.re) = 23478a8a26c2c106efc4f0727743e2fffdebaf54
+SHA1 (patch-ext_xmlrpc_libxmlrpc_xmlrpc.c) = 9fd4004b4d94fcbf8d4104027018b46794bee127
 SHA1 (patch-main_streams_cast.c) = d68b69c9418a8780b1610b8755487771f7c46a5a
 SHA1 (patch-php__mssql.c) = 524c4e5d7ede0e503049bf1febec58e0c4a29aa4
 SHA1 (patch-sapi_fpm_fpm_events_port.c) = ad45bcebadf923ee8cb3f2ad4d78d21dd178a8e3
diff --git a/lang/php53/patches/patch-ext_exif_exif.c b/lang/php53/patches/patch-ext_exif_exif.c
new file mode 100644
index 00000000000..55bc64073d3
--- /dev/null
+++ b/lang/php53/patches/patch-ext_exif_exif.c
@@ -0,0 +1,20 @@
+$NetBSD: patch-ext_exif_exif.c,v 1.3 2014/10/23 16:18:47 taca Exp $
+
+* Fix for CVE-2014-3670.
+
+--- ext/exif/exif.c.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/exif/exif.c
+@@ -2446,11 +2446,11 @@ static void* exif_ifd_make_value(image_i
+ 					data_ptr += 8;
+ 					break;
+ 				case TAG_FMT_SINGLE:
+-					memmove(data_ptr, &info_data->value.f, byte_count);
++					memmove(data_ptr, &info_value->f, 4);
+ 					data_ptr += 4;
+ 					break;
+ 				case TAG_FMT_DOUBLE:
+-					memmove(data_ptr, &info_data->value.d, byte_count);
++					memmove(data_ptr, &info_value->d, 8);
+ 					data_ptr += 8;
+ 					break;
+ 			}
diff --git a/lang/php53/patches/patch-ext_standard_var__unserializer.c b/lang/php53/patches/patch-ext_standard_var__unserializer.c
new file mode 100644
index 00000000000..5fcf43ad7ce
--- /dev/null
+++ b/lang/php53/patches/patch-ext_standard_var__unserializer.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-ext_standard_var__unserializer.c,v 1.1 2014/10/23 16:18:47 taca Exp $
+
+* Fix for CVE-2014-3669.
+
+--- ext/standard/var_unserializer.c.orig	2014-08-13 19:27:30.000000000 +0000
++++ ext/standard/var_unserializer.c
+@@ -333,7 +333,7 @@ static inline int object_custom(UNSERIAL
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
diff --git a/lang/php53/patches/patch-ext_standard_var__unserializer.re b/lang/php53/patches/patch-ext_standard_var__unserializer.re
new file mode 100644
index 00000000000..cd2945f5bed
--- /dev/null
+++ b/lang/php53/patches/patch-ext_standard_var__unserializer.re
@@ -0,0 +1,15 @@
+$NetBSD: patch-ext_standard_var__unserializer.re,v 1.1 2014/10/23 16:18:47 taca Exp $
+
+* Fix for CVE-2014-3669.
+
+--- ext/standard/var_unserializer.re.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/standard/var_unserializer.re
+@@ -339,7 +339,7 @@ static inline int object_custom(UNSERIAL
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
diff --git a/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c b/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c
new file mode 100644
index 00000000000..6fd10c17c8c
--- /dev/null
+++ b/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c
@@ -0,0 +1,55 @@
+$NetBSD: patch-ext_xmlrpc_libxmlrpc_xmlrpc.c,v 1.1 2014/10/23 16:18:47 taca Exp $
+
+* Fix for CVE-2014-3668.
+
+--- ext/xmlrpc/libxmlrpc/xmlrpc.c.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_mon = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+4])
+       tm.tm_mon += (text[i+4]-'0')*n;
+       n /= 10;
+    }
+    tm.tm_mon --;
++   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++      return -1;
++   }
+ 
+    n = 10;
+    tm.tm_mday = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+6])
+       tm.tm_mday += (text[i+6]-'0')*n;
+       n /= 10;
+    }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_hour = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+9])
+       tm.tm_hour += (text[i+9]-'0')*n;
+       n /= 10;
+    }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_min = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+12])
+       tm.tm_min += (text[i+12]-'0')*n;
+       n /= 10;
+    }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_sec = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+15])
+       tm.tm_sec += (text[i+15]-'0')*n;
+       n /= 10;
+    }
author	taca <taca@pkgsrc.org>	2014-10-23 16:18:47 +0000
committer	taca <taca@pkgsrc.org>	2014-10-23 16:18:47 +0000
commit	3158c255c81f6f43fd51b60e396eb86fc5e8a367 (patch)
tree	642c22de7d3f0c58b1a3d8f6e11126308c0bf177 /lang/php53
parent	946dcbc5bedff4395819f6b7911125f4daec08af (diff)
download	pkgsrc-3158c255c81f6f43fd51b60e396eb86fc5e8a367.tar.gz