diff options
author | adrianp <adrianp> | 2007-05-06 20:07:28 +0000 |
---|---|---|
committer | adrianp <adrianp> | 2007-05-06 20:07:28 +0000 |
commit | 6d9bb9e5e5a7e62120c11598796097e3f396da67 (patch) | |
tree | f90c798bfea682840b7e51d66e80d8d6463e027e /lang/php5 | |
parent | 65fb56793703de057f9cf6f36ef5a5b7c6588d1d (diff) | |
download | pkgsrc-6d9bb9e5e5a7e62120c11598796097e3f396da67.tar.gz |
Update 5.2.2
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals
(MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare()
(MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
(MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for
(MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables().
(by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc
library. (by Stanislav Malyshev)
* Fixed a header injection via Subject and To parameters to the mail() function
(MOPB-34 by Stefan Esser)
* Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
* Fixed substr_compare and substr_count information leak
(MOPB-14 by Stefan Esser) (Stas, Ilia)
* Fixed a remotely trigger-able buffer overflow inside make_http_soap_request()
(by Ilia Alshanetsky)
* Fixed a buffer overflow inside user_filter_factory_create().
(by Ilia Alshanetsky)
Diffstat (limited to 'lang/php5')
-rw-r--r-- | lang/php5/Makefile | 3 | ||||
-rw-r--r-- | lang/php5/Makefile.common | 4 | ||||
-rw-r--r-- | lang/php5/distinfo | 10 | ||||
-rw-r--r-- | lang/php5/patches/patch-ab | 212 | ||||
-rw-r--r-- | lang/php5/patches/patch-ac | 40 |
5 files changed, 7 insertions, 262 deletions
diff --git a/lang/php5/Makefile b/lang/php5/Makefile index dae6b65fe78..d7925821c54 100644 --- a/lang/php5/Makefile +++ b/lang/php5/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.50 2007/05/05 21:45:12 adrianp Exp $ +# $NetBSD: Makefile,v 1.51 2007/05/06 20:07:28 adrianp Exp $ PKGNAME= php-${PHP_BASE_VERS} -PKGREVISION= 3 CATEGORIES= lang HOMEPAGE= http://www.php.net/ diff --git a/lang/php5/Makefile.common b/lang/php5/Makefile.common index fe4fe8f97f3..0e97c2108d3 100644 --- a/lang/php5/Makefile.common +++ b/lang/php5/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.24 2007/02/22 19:01:21 wiz Exp $ +# $NetBSD: Makefile.common,v 1.25 2007/05/06 20:07:36 adrianp Exp $ .if !defined(DISTNAME) DISTNAME= php-${PHP_BASE_VERS} @@ -15,7 +15,7 @@ EXTRACT_SUFX?= .tar.bz2 MAINTAINER?= jdolecek@NetBSD.org HOMEPAGE?= http://www.php.net/ -PHP_BASE_VERS= 5.2.1 +PHP_BASE_VERS= 5.2.2 PHP_EXTENSION_DIR= lib/php/20040412 PLIST_SUBST+= PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR:Q} diff --git a/lang/php5/distinfo b/lang/php5/distinfo index e76202229d4..606f4287345 100644 --- a/lang/php5/distinfo +++ b/lang/php5/distinfo @@ -1,11 +1,9 @@ -$NetBSD: distinfo,v 1.39 2007/05/06 13:08:33 tron Exp $ +$NetBSD: distinfo,v 1.40 2007/05/06 20:07:36 adrianp Exp $ -SHA1 (php-5.2.1/php-5.2.1.tar.bz2) = 978ce7cde3d988d9aa672e32e46f815a8b25baa0 -RMD160 (php-5.2.1/php-5.2.1.tar.bz2) = f75078e0e43cb9c64e6d0a8d51a2ebd23cc9131d -Size (php-5.2.1/php-5.2.1.tar.bz2) = 7163383 bytes +SHA1 (php-5.2.2/php-5.2.2.tar.bz2) = b9b0b8f778eee61afcff24e286e626baed8d2934 +RMD160 (php-5.2.2/php-5.2.2.tar.bz2) = 15e844530bced2960e35fd291fb71a416562aec0 +Size (php-5.2.2/php-5.2.2.tar.bz2) = 7310926 bytes SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20 -SHA1 (patch-ab) = e4131ba531bc7afdf478802dac33a47fa2f87b88 -SHA1 (patch-ac) = 0e260cfdbc247f2960f73af79324529efadcb25f SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc diff --git a/lang/php5/patches/patch-ab b/lang/php5/patches/patch-ab deleted file mode 100644 index f836b8f2929..00000000000 --- a/lang/php5/patches/patch-ab +++ /dev/null @@ -1,212 +0,0 @@ -$NetBSD: patch-ab,v 1.4 2007/04/29 12:30:18 taca Exp $ - ---- TSRM/tsrm_virtual_cwd.c.orig 2007-04-28 22:51:43.000000000 +0100 -+++ TSRM/tsrm_virtual_cwd.c 2007-04-28 22:52:15.000000000 +0100 -@@ -474,7 +474,11 @@ - realpath_cache_bucket *bucket; - time_t t = 0; - int ret; -+ int use_cache; -+ int use_relative_path = 0; - TSRMLS_FETCH(); -+ -+ use_cache = ((use_realpath != CWD_EXPAND) && CWDG(realpath_cache_size_limit)); - - if (path_length == 0) - return (0); -@@ -488,27 +492,32 @@ - /* cwd_length can be 0 when getcwd() fails. - * This can happen under solaris when a dir does not have read permissions - * but *does* have execute permissions */ -- if (!IS_ABSOLUTE_PATH(path, path_length) && (state->cwd_length > 0)) { -- int orig_path_len; -- int state_cwd_length = state->cwd_length; -+ if (!IS_ABSOLUTE_PATH(path, path_length)) { -+ if (state->cwd_length == 0) { -+ use_cache = 0; -+ use_relative_path = 1; -+ } else { -+ int orig_path_len; -+ int state_cwd_length = state->cwd_length; - - #ifdef TSRM_WIN32 -- if (IS_SLASH(path[0])) { -- state_cwd_length = 2; -- } -+ if (IS_SLASH(path[0])) { -+ state_cwd_length = 2; -+ } - #endif -- orig_path_len = path_length + state_cwd_length + 1; -- if (orig_path_len >= MAXPATHLEN) { -- return 1; -+ orig_path_len = path_length + state_cwd_length + 1; -+ if (orig_path_len >= MAXPATHLEN) { -+ return 1; -+ } -+ memcpy(orig_path, state->cwd, state_cwd_length); -+ orig_path[state_cwd_length] = DEFAULT_SLASH; -+ memcpy(orig_path + state_cwd_length + 1, path, path_length + 1); -+ path = orig_path; -+ path_length = orig_path_len; - } -- memcpy(orig_path, state->cwd, state_cwd_length); -- orig_path[state_cwd_length] = DEFAULT_SLASH; -- memcpy(orig_path + state_cwd_length + 1, path, path_length + 1); -- path = orig_path; -- path_length = orig_path_len; - } - -- if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) { -+ if (use_cache) { - t = CWDG(realpath_cache_ttl)?time(NULL):0; - if ((bucket = realpath_cache_find(path, path_length, t TSRMLS_CC)) != NULL) { - int len = bucket->realpath_len; -@@ -548,18 +557,19 @@ - #endif - } else { - char *ptr, *path_copy, *free_path; -- char *tok = NULL; -+ char *tok; - int ptr_length; - #ifdef TSRM_WIN32 -- int is_unc = 0; -+ int is_unc; - #endif -- - no_realpath: - - free_path = path_copy = tsrm_strndup(path, path_length); - CWD_STATE_COPY(&old_state, state); - --#ifdef TSRM_WIN32 -+#ifdef TSRM_WIN32 -+ ret = 0; -+ is_unc = 0; - if (path_length >= 2 && path[1] == ':') { - state->cwd = (char *) realloc(state->cwd, 2 + 1); - state->cwd[0] = toupper(path[0]); -@@ -583,6 +593,7 @@ - } - #endif - -+ tok = NULL; - ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok); - while (ptr) { - ptr_length = strlen(ptr); -@@ -590,6 +601,12 @@ - if (IS_DIRECTORY_UP(ptr, ptr_length)) { - char save; - -+ if (use_relative_path) { -+ CWD_STATE_FREE(state); -+ *state = old_state; -+ return 1; -+ } -+ - save = DEFAULT_SLASH; - - #define PREVIOUS state->cwd[state->cwd_length - 1] -@@ -609,33 +626,38 @@ - state->cwd_length--; - } - } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) { -- state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1); -+ if (use_relative_path) { -+ state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1); -+ use_relative_path = 0; -+ } else { -+ state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1); - #ifdef TSRM_WIN32 -- /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */ -- if (state->cwd_length < 2 || -- (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') || -- IsDBCSLeadByte(state->cwd[state->cwd_length-2])) { -- state->cwd[state->cwd_length++] = DEFAULT_SLASH; -- } -+ /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */ -+ if (state->cwd_length < 2 || -+ (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') || -+ IsDBCSLeadByte(state->cwd[state->cwd_length-2])) { -+ state->cwd[state->cwd_length++] = DEFAULT_SLASH; -+ } - #elif defined(NETWARE) -- /* -- Below code keeps appending to state->cwd a File system seperator -- cases where this appending should not happen is given below, -- a) sys: should just be left as it is -- b) sys:system should just be left as it is, -- Colon is allowed only in the first token as volume names alone can have the : in their names. -- Files and Directories cannot have : in their names -- So the check goes like this, -- For second token and above simply append the DEFAULT_SLASH to the state->cwd. -- For first token check for the existence of : -- if it exists don't append the DEFAULT_SLASH to the state->cwd. -- */ -- if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) { -- state->cwd[state->cwd_length++] = DEFAULT_SLASH; -- } -+ /* -+ Below code keeps appending to state->cwd a File system seperator -+ cases where this appending should not happen is given below, -+ a) sys: should just be left as it is -+ b) sys:system should just be left as it is, -+ Colon is allowed only in the first token as volume names alone can have the : in their names. -+ Files and Directories cannot have : in their names -+ So the check goes like this, -+ For second token and above simply append the DEFAULT_SLASH to the state->cwd. -+ For first token check for the existence of : -+ if it exists don't append the DEFAULT_SLASH to the state->cwd. -+ */ -+ if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) { -+ state->cwd[state->cwd_length++] = DEFAULT_SLASH; -+ } - #else -- state->cwd[state->cwd_length++] = DEFAULT_SLASH; -+ state->cwd[state->cwd_length++] = DEFAULT_SLASH; - #endif -+ } - memcpy(&state->cwd[state->cwd_length], ptr, ptr_length+1); - - #ifdef TSRM_WIN32 -@@ -652,14 +674,14 @@ - memcpy(&state->cwd[state->cwd_length], data.cFileName, length+1); - ptr_length = length; - FindClose(hFind); -+ ret = 0; - } else if (use_realpath == CWD_REALPATH) { - if (is_unc) { -+ /* skip share name */ - is_unc--; -+ ret = 0; - } else { -- free(free_path); -- CWD_STATE_FREE(state); -- *state = old_state; -- return 1; -+ ret = 1; - } - } - } -@@ -672,6 +694,12 @@ - - free(free_path); - -+ if ((use_realpath == CWD_REALPATH) && ret) { -+ CWD_STATE_FREE(state); -+ *state = old_state; -+ return 1; -+ } -+ - if (state->cwd_length == COPY_WHEN_ABSOLUTE(state->cwd)) { - state->cwd = (char *) realloc(state->cwd, state->cwd_length+1+1); - state->cwd[state->cwd_length] = DEFAULT_SLASH; -@@ -680,7 +708,7 @@ - } - } - -- if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) { -+ if (use_cache) { - realpath_cache_add(path, path_length, state->cwd, state->cwd_length, t TSRMLS_CC); - } - diff --git a/lang/php5/patches/patch-ac b/lang/php5/patches/patch-ac deleted file mode 100644 index 39d6a620db1..00000000000 --- a/lang/php5/patches/patch-ac +++ /dev/null @@ -1,40 +0,0 @@ -$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $ - -Patch for CVE-2007-1001, taken from here: - -http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch - ---- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000 -+++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100 -@@ -116,6 +116,15 @@ - if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) - return (NULL); - -+ if (overflow2(sizeof (int), width)) { -+ gdFree(wbmp); -+ return NULL; -+ } -+ if (overflow2(sizeof (int) * width, height)) { -+ gdFree(wbmp); -+ return NULL; -+ } -+ - if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) - { - gdFree (wbmp); -@@ -176,7 +185,14 @@ - printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); - #endif - -- if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) -+ if (overflow2(sizeof (int), wbmp->width) || -+ overflow2(sizeof (int) * wbmp->width, wbmp->height)) -+ { -+ gdFree(wbmp); -+ return (-1); -+ } -+ -+ if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) - { - gdFree (wbmp); - return (-1); |