Add two security fix, CVE-2011-1938 and filename-injection from PHP 5.3's

repository.

Bump PKGREVISION.

8 files changed, 98 insertions, 6 deletions

diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index 543bd973497..b405c8e379b 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.84 2011/03/21 16:34:28 taca Exp $
+# $NetBSD: Makefile,v 1.85 2011/06/15 14:41:16 taca Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index 2cc3f88dadc..56d2d609e8c 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.89 2011/03/21 16:34:28 taca Exp $
+$NetBSD: distinfo,v 1.90 2011/06/15 14:41:16 taca Exp $
 
 SHA1 (php-5.2.17/php-5.2.17.tar.bz2) = d68f3b09f766990d815a3c4c63c157db8dab8095
 RMD160 (php-5.2.17/php-5.2.17.tar.bz2) = 567fa8d718b93fb83a89494c83a8bec224ac99e9
@@ -14,10 +14,16 @@ SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
+SHA1 (patch-ext_date_lib_parse__date.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
 SHA1 (patch-ext_exif_exif.c) = 0a6ab268751e633510cb6b334b1bdb84a014b528
+SHA1 (patch-ext_pdo_pdo__sql__parser.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
 SHA1 (patch-ext_shmop_shmop.c) = 6e11b87dd71ff26357b14b61df626c40b40a022d
+SHA1 (patch-ext_sockets_sockets.c) = f01eb6020450a62c305bdf59e12eeacbe8764be7
+SHA1 (patch-ext_standard_url__scanner__ex.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
+SHA1 (patch-ext_standard_var__unserializer.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
 SHA1 (patch-ext_zip_lib_zip__name__locate.c) = 4030e37ae4f93dbcb1a3a937a5407c2c406a49d6
 SHA1 (patch-ext_zip_php__zip.c) = 134fa566a689d72d63a2fa0aa5c96c4595619089
+SHA1 (patch-main_rfc1867.c) = 89a1a0e52402a8f8f1cc5b1ec007f5ab1ab69dc2
 SHA1 (patch-main_snprintf.c) = cb112df0cadf84aaeee5987169a31460989995a8
 SHA1 (patch-main_snprintf.h) = 86ae4c1c8ae9183254e9914cb56d3df999f719cf
 SHA1 (patch-main_spprintf.c) = 0fe0888b612402c41f040c8781df7f1a7ca66275
diff --git a/lang/php5/patches/patch-ext_sockets_sockets.c b/lang/php5/patches/patch-ext_sockets_sockets.c
new file mode 100644
index 00000000000..d6b9412ff75
--- /dev/null
+++ b/lang/php5/patches/patch-ext_sockets_sockets.c
@@ -0,0 +1,18 @@
+$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:41:16 taca Exp $
+
+* Update of r311369 of PHP's repository, fix for CVE-2011-1938.
+
+--- ext/sockets/sockets.c.orig	2010-01-03 09:23:27.000000000 +0000
++++ ext/sockets/sockets.c
+@@ -1176,6 +1176,11 @@ PHP_FUNCTION(socket_connect)
+ 			break;
+ 
+ 		case AF_UNIX:
++			if (addr_len >= sizeof(s_un.sun_path)) {
++				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
++				RETURN_FALSE;
++			}
++
+ 			memset(&s_un, 0, sizeof(struct sockaddr_un));
+ 
+ 			s_un.sun_family = AF_UNIX;
diff --git a/lang/php5/patches/patch-main_rfc1867.c b/lang/php5/patches/patch-main_rfc1867.c
new file mode 100644
index 00000000000..59a14a4daad
--- /dev/null
+++ b/lang/php5/patches/patch-main_rfc1867.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:41:16 taca Exp $
+
+* Update of r312103 of PHP's repository, fix filename-injection vulnerability.
+
+--- main/rfc1867.c.orig	2010-03-18 22:37:25.000000000 +0000
++++ main/rfc1867.c
+@@ -1215,7 +1215,7 @@ filedone:
+ #endif
+ 
+ 			if (!is_anonymous) {
+-				if (s && s > filename) {
++				if (s && s >= filename) {
+ 					safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
+ 				} else {
+ 					safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
+@@ -1228,7 +1228,7 @@ filedone:
+ 			} else {
+ 				snprintf(lbuf, llen, "%s[name]", param);
+ 			}
+-			if (s && s > filename) {
++			if (s && s >= filename) {
+ 				register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
+ 			} else {
+ 				register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index 07f766f9d0d..80b1c7344c9 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.9 2011/05/16 13:08:45 taca Exp $
+# $NetBSD: Makefile,v 1.10 2011/06/15 14:42:03 taca Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php53/distinfo b/lang/php53/distinfo
index d6d6db09730..11114cbf2c4 100644
--- a/lang/php53/distinfo
+++ b/lang/php53/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2011/05/16 13:08:45 taca Exp $
+$NetBSD: distinfo,v 1.15 2011/06/15 14:42:03 taca Exp $
 
 SHA1 (php-5.3.6/php-5.3.6.tar.bz2) = 0e0b9b4d9117f22080e2204afa9383469eb0dbbd
 RMD160 (php-5.3.6/php-5.3.6.tar.bz2) = 619bf96cf24bf6aa0988494186f8914fde94d44d
@@ -14,4 +14,6 @@ SHA1 (patch-ah) = b20c29c64b3099f77855a5ec28960dc1c4f65c83
 SHA1 (patch-ai) = d4766893a2c47a4e4a744248dda265b0a9a66a1f
 SHA1 (patch-aj) = d611d13fcc28c5d2b9e9586832ce4b8ae5707b48
 SHA1 (patch-al) = fbbee5502e0cd1c47c6e7c15e0d54746414ec32e
+SHA1 (patch-ext_sockets_sockets.c) = 99137af0e3307f1b379e4a4012ebd56978a88a15
 SHA1 (patch-ext_standard_string.c) = fe16ffedd894a6d580f3c998b9f571f403f4a764
+SHA1 (patch-main_rfc1867.c) = 2f7efd3ebc6eadb377ce308d5d8293bda07bbc42
diff --git a/lang/php53/patches/patch-ext_sockets_sockets.c b/lang/php53/patches/patch-ext_sockets_sockets.c
new file mode 100644
index 00000000000..5df4f25324a
--- /dev/null
+++ b/lang/php53/patches/patch-ext_sockets_sockets.c
@@ -0,0 +1,18 @@
+$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:42:03 taca Exp $
+
+* Update of r311369 of PHP's repository, fix for CVE-2011-1938.
+
+--- ext/sockets/sockets.c.orig	2011-01-01 02:19:59.000000000 +0000
++++ ext/sockets/sockets.c
+@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
+ 			break;
+ 
+ 		case AF_UNIX:
++			if (addr_len >= sizeof(s_un.sun_path)) {
++				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
++				RETURN_FALSE;
++			}
++
+ 			memset(&s_un, 0, sizeof(struct sockaddr_un));
+ 
+ 			s_un.sun_family = AF_UNIX;
diff --git a/lang/php53/patches/patch-main_rfc1867.c b/lang/php53/patches/patch-main_rfc1867.c
new file mode 100644
index 00000000000..4d0e54edc84
--- /dev/null
+++ b/lang/php53/patches/patch-main_rfc1867.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:42:03 taca Exp $
+
+* Update of r312103 of PHP's repository, fix filename-injection vulnerability.
+
+--- main/rfc1867.c.orig	2011-01-19 13:09:05.000000000 +0000
++++ main/rfc1867.c
+@@ -1223,7 +1223,7 @@ filedone:
+ #endif
+ 
+ 			if (!is_anonymous) {
+-				if (s && s > filename) {
++				if (s && s >= filename) {
+ 					safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
+ 				} else {
+ 					safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
+@@ -1236,7 +1236,7 @@ filedone:
+ 			} else {
+ 				snprintf(lbuf, llen, "%s[name]", param);
+ 			}
+-			if (s && s > filename) {
++			if (s && s >= filename) {
+ 				register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
+ 			} else {
+ 				register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);