diff options
| author | taca <taca@pkgsrc.org> | 2009-12-23 07:07:34 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2009-12-23 07:07:34 +0000 |
| commit | 7415620fc57386d9e58d9dfa690a102a578c1ede (patch) | |
| tree | 1059442fae6c0f711ca1ae9f5e92001651bc0b02 /lang | |
| parent | 0e348a070719b2ebc4ad848d820cd0864a96dff0 (diff) | |
| download | pkgsrc-7415620fc57386d9e58d9dfa690a102a578c1ede.tar.gz | |
Update lang/php5 to 5.2.12, security update.
Security Enhancements and Fixes in PHP 5.2.12:
* Fixed a safe_mode bypass in tempnam() identified by Grzegorz
Stachowiak. (CVE-2009-3557, Rasmus)
* Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Stachowiak. (CVE-2009-3558, Rasmus)
* Added "max_file_uploads" INI directive, which can be set to limit the
number of file uploads per-request to 20 by default, to prevent possible
DOS via temporary file exhaustion, identified by Bogdan
Calin. (CVE-2009-4017, Ilia)
* Added protection for $_SESSION from interrupt corruption and improved
"session.save_path" check, identified by Stefan Esser. (CVE-2009-4143,
Stas)
* Fixed bug #49785 (insufficient input string validation of
htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)
Key enhancements in PHP 5.2.12 include:
* Fixed unnecessary invocation of setitimer when timeouts have been
disabled. (Arvind Srinivasan)
* Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
* Fixed crash in SQLiteDatabase::ArrayQuery() and
SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
* Fixed crash when instantiating PDORow and PDOStatement through
Reflection. (Felipe)
* Fixed memory leak in openssl_pkcs12_export_to_file(). (Felipe)
* Fixed bug #50207 (segmentation fault when concatenating very large strings
on 64bit linux). (Ilia)
* Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle
database). (Felipe)
* Fixed bug #50006 (Segfault caused by uksort()). (Felipe)
* Fixed bug #50005 (Throwing through Reflection modified Exception object
makes segmentation fault). (Felipe)
* Fixed bug #49174 (crash when extending PDOStatement and trying to set
queryString property). (Felipe)
* Fixed bug #49098 (mysqli segfault on error). (Rasmus)
* Over 50 other bug fixes.
Diffstat (limited to 'lang')
| -rw-r--r-- | lang/php5/Makefile | 3 | ||||
| -rw-r--r-- | lang/php5/Makefile.common | 4 | ||||
| -rw-r--r-- | lang/php5/PLIST | 4 | ||||
| -rw-r--r-- | lang/php5/distinfo | 24 | ||||
| -rw-r--r-- | lang/php5/patches/patch-ag | 14 | ||||
| -rw-r--r-- | lang/php5/patches/patch-ah | 14 | ||||
| -rw-r--r-- | lang/php5/patches/patch-ay | 17 | ||||
| -rw-r--r-- | lang/php5/patches/patch-az | 373 | ||||
| -rw-r--r-- | lang/php5/patches/patch-ba | 17 | ||||
| -rw-r--r-- | lang/php5/patches/patch-bb | 19 | ||||
| -rw-r--r-- | lang/php5/patches/patch-bc | 15 | ||||
| -rw-r--r-- | lang/php5/patches/patch-bd | 46 |
12 files changed, 20 insertions, 530 deletions
diff --git a/lang/php5/Makefile b/lang/php5/Makefile index 39fb2e1a999..6c7dcda8548 100644 --- a/lang/php5/Makefile +++ b/lang/php5/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.74 2009/11/30 06:14:08 taca Exp $ +# $NetBSD: Makefile,v 1.75 2009/12/23 07:07:34 taca Exp $ PKGNAME= php-${PHP_BASE_VERS} -PKGREVISION= 2 CATEGORIES= lang HOMEPAGE= http://www.php.net/ COMMENT= PHP Hypertext Preprocessor version 5 diff --git a/lang/php5/Makefile.common b/lang/php5/Makefile.common index 513a571faa4..aafc3f4fe25 100644 --- a/lang/php5/Makefile.common +++ b/lang/php5/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.38 2009/10/09 03:53:06 taca Exp $ +# $NetBSD: Makefile.common,v 1.39 2009/12/23 07:07:34 taca Exp $ # used by lang/php5/Makefile.php # used by lang/php/ext.mk @@ -46,7 +46,7 @@ EXTRACT_SUFX?= .tar.bz2 MAINTAINER?= jdolecek@NetBSD.org HOMEPAGE?= http://www.php.net/ -PHP_BASE_VERS= 5.2.11 +PHP_BASE_VERS= 5.2.12 PHP_EXTENSION_DIR= lib/php/20040412 PLIST_SUBST+= PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR:Q} diff --git a/lang/php5/PLIST b/lang/php5/PLIST index 465de671077..03f67ea8a9d 100644 --- a/lang/php5/PLIST +++ b/lang/php5/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.24 2009/09/26 05:40:05 taca Exp $ +@comment $NetBSD: PLIST,v 1.25 2009/12/23 07:07:34 taca Exp $ bin/php bin/php-config bin/phpize @@ -197,10 +197,10 @@ include/php/main/streams/php_stream_plain_wrapper.h include/php/main/streams/php_stream_transport.h include/php/main/streams/php_stream_userspace.h include/php/main/streams/php_streams_int.h -include/php/main/win95nt.h ${PLIST.suhosin}include/php/main/suhosin_globals.h ${PLIST.suhosin}include/php/main/suhosin_logo.h ${PLIST.suhosin}include/php/main/suhosin_patch.h +include/php/main/win95nt.h include/php/regex/cclass.h include/php/regex/cname.h include/php/regex/regex.h diff --git a/lang/php5/distinfo b/lang/php5/distinfo index dacc5ed2454..058571ba11f 100644 --- a/lang/php5/distinfo +++ b/lang/php5/distinfo @@ -1,14 +1,14 @@ -$NetBSD: distinfo,v 1.70 2009/11/30 06:14:08 taca Exp $ +$NetBSD: distinfo,v 1.71 2009/12/23 07:07:34 taca Exp $ -SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef -RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654 -Size (php-5.2.11/php-5.2.11.tar.bz2) = 9030787 bytes -SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1 -RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15 -Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes +SHA1 (php-5.2.12/php-5.2.12.tar.bz2) = 6605f23b70e3db824047830f08d636e09ec10ff3 +RMD160 (php-5.2.12/php-5.2.12.tar.bz2) = 027f3597fd961d2a95682e2f0738415f8a911371 +Size (php-5.2.12/php-5.2.12.tar.bz2) = 9075161 bytes +SHA1 (php-5.2.12/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1 +RMD160 (php-5.2.12/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15 +Size (php-5.2.12/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20 -SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb -SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01 +SHA1 (patch-ag) = 5e3e822657925a77fbccaca63f283863a1cc6d94 +SHA1 (patch-ah) = a25cb7fa3d1f5b9fb99493a4348fdba69d3d4728 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602 @@ -16,9 +16,3 @@ SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1 -SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6 -SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756 -SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4 -SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210 -SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7 -SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92 diff --git a/lang/php5/patches/patch-ag b/lang/php5/patches/patch-ag index c5174b6e385..ae551e81738 100644 --- a/lang/php5/patches/patch-ag +++ b/lang/php5/patches/patch-ag @@ -1,10 +1,8 @@ -$NetBSD: patch-ag,v 1.3 2009/11/30 06:14:08 taca Exp $ +$NetBSD: patch-ag,v 1.4 2009/12/23 07:07:34 taca Exp $ * Ajust for pkgsrc. -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 ---- php.ini-dist.orig 2009-02-14 01:55:18.000000000 +0900 +--- php.ini-dist.orig 2009-11-05 13:29:34.000000000 +0000 +++ php.ini-dist @@ -471,7 +471,7 @@ default_mimetype = "text/html" ;;;;;;;;;;;;;;;;;;;;;;;;; @@ -27,7 +25,7 @@ $NetBSD: patch-ag,v 1.3 2009/11/30 06:14:08 taca Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -546,11 +547,13 @@ file_uploads = On +@@ -546,7 +547,7 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -36,9 +34,3 @@ $NetBSD: patch-ag,v 1.3 2009/11/30 06:14:08 taca Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M - -+; Maximum number of files that can be uploaded via a single request -+max_file_uploads = 100 - - ;;;;;;;;;;;;;;;;;; - ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ah b/lang/php5/patches/patch-ah index dfa5a9c1c67..33509e8c710 100644 --- a/lang/php5/patches/patch-ah +++ b/lang/php5/patches/patch-ah @@ -1,10 +1,8 @@ -$NetBSD: patch-ah,v 1.2 2009/11/30 06:14:08 taca Exp $ +$NetBSD: patch-ah,v 1.3 2009/12/23 07:07:34 taca Exp $ * Ajust for pkgsrc. -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 ---- php.ini-recommended.orig 2009-03-02 13:44:35.000000000 +0900 +--- php.ini-recommended.orig 2009-11-05 13:29:34.000000000 +0000 +++ php.ini-recommended @@ -522,7 +522,7 @@ default_mimetype = "text/html" ;;;;;;;;;;;;;;;;;;;;;;;;; @@ -27,7 +25,7 @@ $NetBSD: patch-ah,v 1.2 2009/11/30 06:14:08 taca Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -597,11 +598,13 @@ file_uploads = On +@@ -597,7 +598,7 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -36,9 +34,3 @@ $NetBSD: patch-ah,v 1.2 2009/11/30 06:14:08 taca Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M - -+; Maximum number of files that can be uploaded via a single request -+max_file_uploads = 100 - - ;;;;;;;;;;;;;;;;;; - ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ay b/lang/php5/patches/patch-ay deleted file mode 100644 index 7713377776d..00000000000 --- a/lang/php5/patches/patch-ay +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-ay,v 1.2 2009/11/30 06:14:08 taca Exp $ - -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 - http://svn.php.net/viewvc?view=revision&revision=289557 - ---- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900 -+++ ext/gd/libgd/gd_gd.c -@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP - if (!gdGetWord(&im->colorsTotal, in)) { - goto fail1; - } -+ if (im->colorsTotal > gdMaxColors) { -+ goto fail1; -+ } - } - /* Int to accommodate truecolor single-color transparency */ - if (!gdGetInt(&im->transparent, in)) { diff --git a/lang/php5/patches/patch-az b/lang/php5/patches/patch-az deleted file mode 100644 index 184f591054b..00000000000 --- a/lang/php5/patches/patch-az +++ /dev/null @@ -1,373 +0,0 @@ -$NetBSD$ - -* Fix for htmlspecialchars(): - http://svn.php.net/viewvc?view=revision&revision=289411 - http://svn.php.net/viewvc?view=revision&revision=289554 - http://svn.php.net/viewvc?view=revision&revision=289565 - http://svn.php.net/viewvc?view=revision&revision=289567 - http://svn.php.net/viewvc?view=revision&revision=289605 - ---- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900 -+++ ext/standard/html.c -@@ -484,15 +484,31 @@ struct basic_entities_dec { - } \ - mbseq[mbpos++] = (mbchar); } - --#define CHECK_LEN(pos, chars_need) \ -- if((str_len - (pos)) < chars_need) { \ -- *status = FAILURE; \ -- return 0; \ -+/* skip one byte and return */ -+#define MB_FAILURE(pos) do { \ -+ *newpos = pos + 1; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } while (0) -+ -+#define CHECK_LEN(pos, chars_need) \ -+ if (chars_need < 1) { \ -+ if((str_len - (pos)) < chars_need) { \ -+ *newpos = pos; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } \ -+ } else { \ -+ if((str_len - (pos)) < chars_need) { \ -+ *newpos = pos + 1; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } \ - } - - /* {{{ get_next_char - */ --inline static unsigned short get_next_char(enum entity_charset charset, -+inline static unsigned int get_next_char(enum entity_charset charset, - unsigned char * str, - int str_len, - int * newpos, -@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch - int pos = *newpos; - int mbpos = 0; - int mbspace = *mbseqlen; -- unsigned short this_char = str[pos++]; -+ unsigned int this_char = 0; - unsigned char next_char; - - *status = SUCCESS; -- -+ - if (mbspace <= 0) { - *mbseqlen = 0; -- return this_char; -+ CHECK_LEN(pos, 1); -+ *newpos = pos + 1; -+ *newpos = pos + 1; - } -- -- MB_WRITE((unsigned char)this_char); -- -+ - switch (charset) { - case cs_utf_8: - { -- unsigned long utf = 0; -- int stat = 0; -- int more = 1; -- -- /* unpack utf-8 encoding into a wide char. -- * Code stolen from the mbstring extension */ -- -- do { -- if (this_char < 0x80) { -- more = 0; -- if(stat) { -- /* we didn't finish the UTF sequence correctly */ -- *status = FAILURE; -- } -- break; -- } else if (this_char < 0xc0) { -- switch (stat) { -- case 0x10: /* 2, 2nd */ -- case 0x21: /* 3, 3rd */ -- case 0x32: /* 4, 4th */ -- case 0x43: /* 5, 5th */ -- case 0x54: /* 6, 6th */ -- /* last byte in sequence */ -- more = 0; -- utf |= (this_char & 0x3f); -- this_char = (unsigned short)utf; -- break; -- case 0x20: /* 3, 2nd */ -- case 0x31: /* 4, 3rd */ -- case 0x42: /* 5, 4th */ -- case 0x53: /* 6, 5th */ -- /* penultimate char */ -- utf |= ((this_char & 0x3f) << 6); -- stat++; -- break; -- case 0x30: /* 4, 2nd */ -- case 0x41: /* 5, 3rd */ -- case 0x52: /* 6, 4th */ -- utf |= ((this_char & 0x3f) << 12); -- stat++; -- break; -- case 0x40: /* 5, 2nd */ -- case 0x51: -- utf |= ((this_char & 0x3f) << 18); -- stat++; -- break; -- case 0x50: /* 6, 2nd */ -- utf |= ((this_char & 0x3f) << 24); -- stat++; -- break; -- default: -- /* invalid */ -- *status = FAILURE; -- more = 0; -- } -- } -- /* lead byte */ -- else if (this_char < 0xe0) { -- stat = 0x10; /* 2 byte */ -- utf = (this_char & 0x1f) << 6; -- CHECK_LEN(pos, 1); -- } else if (this_char < 0xf0) { -- stat = 0x20; /* 3 byte */ -- utf = (this_char & 0xf) << 12; -- CHECK_LEN(pos, 2); -- } else if (this_char < 0xf8) { -- stat = 0x30; /* 4 byte */ -- utf = (this_char & 0x7) << 18; -- CHECK_LEN(pos, 3); -- } else if (this_char < 0xfc) { -- stat = 0x40; /* 5 byte */ -- utf = (this_char & 0x3) << 24; -- CHECK_LEN(pos, 4); -- } else if (this_char < 0xfe) { -- stat = 0x50; /* 6 byte */ -- utf = (this_char & 0x1) << 30; -- CHECK_LEN(pos, 5); -- } else { -- /* invalid; bail */ -- more = 0; -- *status = FAILURE; -- break; -+ unsigned char c; -+ CHECK_LEN(pos, 1); -+ c = str[pos]; -+ if (c < 0x80) { -+ MB_WRITE(c); -+ this_char = c; -+ pos++; -+ } else if (c < 0xc0) { -+ MB_FAILURE(pos); -+ } else if (c < 0xe0) { -+ CHECK_LEN(pos, 2); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); - } -- -- if (more) { -- this_char = str[pos++]; -- MB_WRITE((unsigned char)this_char); -+ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); -+ if (this_char < 0x80) { -+ MB_FAILURE(pos); - } -- } while (more); -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ pos += 2; -+ } else if (c < 0xf0) { -+ CHECK_LEN(pos, 3); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); -+ if (this_char < 0x800) { -+ MB_FAILURE(pos); -+ } -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ MB_WRITE((unsigned char)str[pos + 2]); -+ pos += 3; -+ } else if (c < 0xf8) { -+ CHECK_LEN(pos, 4); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); -+ if (this_char < 0x10000) { -+ MB_FAILURE(pos); -+ } -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ MB_WRITE((unsigned char)str[pos + 2]); -+ MB_WRITE((unsigned char)str[pos + 3]); -+ pos += 4; -+ } else { -+ MB_FAILURE(pos); -+ } - } - break; - case cs_big5: - case cs_gb2312: - case cs_big5hkscs: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a 2-byte sequence */ -- if (this_char >= 0xa1 && this_char <= 0xfe) { -+ if (this_char >= 0x81 && this_char <= 0xfe) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if ((next_char >= 0x40 && next_char <= 0x7e) || - (next_char >= 0xa1 && next_char <= 0xfe)) { - /* yes, this a wide char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } -- break; - } -+ break; - case cs_sjis: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a 2-byte sequence */ -- if ( (this_char >= 0x81 && this_char <= 0x9f) || -- (this_char >= 0xe0 && this_char <= 0xef) -- ) { -+ if ((this_char >= 0x81 && this_char <= 0x9f) || -+ (this_char >= 0xe0 && this_char <= 0xfc)) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if ((next_char >= 0x40 && next_char <= 0x7e) || - (next_char >= 0x80 && next_char <= 0xfc)) - { - /* yes, this a wide char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } - break; - } - case cs_eucjp: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a multi-byte sequence */ - if (this_char >= 0xa1 && this_char <= 0xfe) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if (next_char >= 0xa1 && next_char <= 0xfe) { - /* yes, this a jis kanji char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- - } else if (this_char == 0x8e) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if (next_char >= 0xa1 && next_char <= 0xdf) { - /* JIS X 0201 kana */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- - } else if (this_char == 0x8f) { - /* peek at the next two char */ - unsigned char next2_char; - CHECK_LEN(pos, 2); - next_char = str[pos]; -- next2_char = str[pos+1]; -+ next2_char = str[pos + 1]; -+ pos += 2; - if ((next_char >= 0xa1 && next_char <= 0xfe) && - (next2_char >= 0xa1 && next2_char <= 0xfe)) { - /* JIS X 0212 hojo-kanji */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -- this_char <<= 8; - MB_WRITE(next2_char); -- this_char |= next2_char; -- pos++; -+ this_char = (this_char << 16) | (next_char << 8) | next2_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } - break; - } - default: -+ /* single-byte charsets */ -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; -+ MB_WRITE(this_char); - break; - } - MB_RETURN; -@@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex - unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ - int mbseqlen = sizeof(mbsequence); - int status = SUCCESS; -- unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); -+ unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); - - if(status == FAILURE) { - /* invalid MB sequence */ diff --git a/lang/php5/patches/patch-ba b/lang/php5/patches/patch-ba deleted file mode 100644 index a5b41e01043..00000000000 --- a/lang/php5/patches/patch-ba +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2009/11/30 06:14:08 taca Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558: - http://svn.php.net/viewvc?view=revision&revision=288934 - ---- ext/posix/posix.c.orig 2009-08-06 20:11:15.000000000 +0900 -+++ ext/posix/posix.c -@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo) - RETURN_FALSE; - } - -- if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { -+ if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || -+ (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { - RETURN_FALSE; - } - diff --git a/lang/php5/patches/patch-bb b/lang/php5/patches/patch-bb deleted file mode 100644 index 2b8d9a830cb..00000000000 --- a/lang/php5/patches/patch-bb +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-bb,v 1.1 2009/11/30 06:14:08 taca Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557: - http://svn.php.net/viewvc?view=revision&revision=288945 - http://svn.php.net/viewvc?view=revision&revision=288971 - ---- ext/standard/file.c.orig 2009-11-30 10:04:51.000000000 +0900 -+++ ext/standard/file.c -@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam) - convert_to_string_ex(arg1); - convert_to_string_ex(arg2); - -+ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { -+ RETURN_FALSE; -+ } -+ - if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { - RETURN_FALSE; - } diff --git a/lang/php5/patches/patch-bc b/lang/php5/patches/patch-bc deleted file mode 100644 index 25421d738be..00000000000 --- a/lang/php5/patches/patch-bc +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-bc,v 1.1 2009/11/30 06:14:08 taca Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 - ---- main/main.c.orig 2009-11-30 10:04:51.000000000 +0900 -+++ main/main.c -@@ -455,6 +455,7 @@ PHP_INI_BEGIN() - PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) - PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) - PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) -+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) - - STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) - STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/lang/php5/patches/patch-bd b/lang/php5/patches/patch-bd deleted file mode 100644 index 8eed556e09b..00000000000 --- a/lang/php5/patches/patch-bd +++ /dev/null @@ -1,46 +0,0 @@ -$NetBSD: patch-bd,v 1.1 2009/11/30 06:14:08 taca Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 - http://svn.php.net/viewvc?view=revision&revision=290820 - http://svn.php.net/viewvc?view=revision&revision=290885 - ---- main/rfc1867.c.orig 2008-12-31 20:17:49.000000000 +0900 -+++ main/rfc1867.c -@@ -32,6 +32,7 @@ - #include "php_globals.h" - #include "php_variables.h" - #include "rfc1867.h" -+#include "php_ini.h" - - #define DEBUG_FILE_UPLOAD ZEND_DEBUG - -@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - zend_llist header; - void *event_extra_data = NULL; - int llen = 0; -+ int upload_cnt = INI_INT("max_file_uploads"); - -- if (SG(request_info).content_length > SG(post_max_size)) { -+ if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { - sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); - return; - } -@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - /* If file_uploads=off, skip the file part */ - if (!PG(file_uploads)) { - skip_upload = 1; -+ } else if (upload_cnt <= 0) { -+ skip_upload = 1; -+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); - } - - /* Return with an error if the posted data is garbled */ -@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - if (!skip_upload) { - /* Handle file */ - fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); -+ upload_cnt--; - if (fd==-1) { - sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); - cancel_upload = UPLOAD_ERROR_E; |