- CVE-2010-4150 (php-imap)

http://svn.php.net/viewvc?view=revision&revision=305032 - CVE-2010-3710 (a part of SA41724) http://svn.php.net/viewvc?view=revision&revision=303885 - CVE-2010-3870 (a part of SA41724) http://svn.php.net/viewvc?view=revision&revision=305055 Bump PKGREVISION.
author: taca <taca@pkgsrc.org> 2010-11-25 03:44:16 +0000
committer: taca <taca@pkgsrc.org> 2010-11-25 03:44:16 +0000
commit: d90702e547c0fa15651f23fdb99e992c3b61a9f4 (patch)
tree: e11cba2f042ff9b12c9e3be87d4d6f6eedf4d67d /lang
parent: 43e96d0eb12c2d39d409ffa74f1901dde30a6ce1 (diff)
download: pkgsrc-d90702e547c0fa15651f23fdb99e992c3b61a9f4.tar.gz
5 files changed, 212 insertions, 2 deletions
diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index 8154a31e1ab..70fdeff2fc1 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.79 2010/07/24 22:23:14 tron Exp $
+# $NetBSD: Makefile,v 1.80 2010/11/25 03:44:16 taca Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index 0e3ec25b6df..8475f1da7a0 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.79 2010/07/24 22:23:15 tron Exp $
+$NetBSD: distinfo,v 1.80 2010/11/25 03:44:16 taca Exp $
 
 SHA1 (php-5.2.14/php-5.2.14.tar.bz2) = 311b44b2c0f2eea8ab8dab876d2a6b6e7a55632e
 RMD160 (php-5.2.14/php-5.2.14.tar.bz2) = f699488f5b266a1c5e36df570c4d5896dc4e0aea
@@ -11,9 +11,12 @@ SHA1 (patch-af) = 68c5a31dccf1854ba1aff653e4c524767d6a64f6
 SHA1 (patch-ag) = 5e3e822657925a77fbccaca63f283863a1cc6d94
 SHA1 (patch-ah) = a25cb7fa3d1f5b9fb99493a4348fdba69d3d4728
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
+SHA1 (patch-ak) = d2b84d8b4b9014602d63cbeac7be63cd6da6f057
 SHA1 (patch-al) = 3945eef039ed285e623273cdde4c51c4c6bc978b
 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
 SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
+SHA1 (patch-bf) = 97f5c544e5aa87cf8caff090b57efb02c8acc944
+SHA1 (patch-bg) = 57b57e795463ae374687e5565899dffe2d5d4a01
diff --git a/lang/php5/patches/patch-ak b/lang/php5/patches/patch-ak
new file mode 100644
index 00000000000..a7e07c739a1
--- /dev/null
+++ b/lang/php5/patches/patch-ak
@@ -0,0 +1,20 @@
+$NetBSD: patch-ak,v 1.8 2010/11/25 03:44:16 taca Exp $
+
+Fix for CVE-2010-4150:
+	http://svn.php.net/viewvc?view=revision&revision=305032
+
+--- ext/imap/php_imap.c.orig	2010-02-07 13:06:54.000000000 +0000
++++ ext/imap/php_imap.c
+@@ -794,10 +794,12 @@ static void php_imap_do_open(INTERNAL_FU
+ 
+ 	if (IMAPG(imap_user)) {
+ 		efree(IMAPG(imap_user));
++		IMAPG(imap_user) = 0;
+ 	}
+ 
+ 	if (IMAPG(imap_password)) {
+ 		efree(IMAPG(imap_password));
++		IMAPG(imap_password) = 0;
+ 	}
+ 
+ 	/* local filename, need to perform open_basedir and safe_mode checks */
diff --git a/lang/php5/patches/patch-bf b/lang/php5/patches/patch-bf
new file mode 100644
index 00000000000..9d1252c2e2c
--- /dev/null
+++ b/lang/php5/patches/patch-bf
@@ -0,0 +1,20 @@
+$NetBSD: patch-bf,v 1.1 2010/11/25 03:44:16 taca Exp $
+
+Fix for CVE-2010-3710 (a part of http://secunia.com/advisories/41724/):
+
+	http://svn.php.net/viewvc?view=revision&revision=303885
+
+--- ext/filter/logical_filters.c.orig	2010-04-02 18:27:48.000000000 +0000
++++ ext/filter/logical_filters.c
+@@ -531,6 +531,11 @@ void php_filter_validate_email(PHP_INPUT
+ 	int         matches;
+ 
+ 
++	/* The maximum length of an e-mail address is 320 octets, per RFC 2821. */
++	if (Z_STRLEN_P(value) > 320) {
++		RETURN_VALIDATION_FAILED
++	}
++
+ 	re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC);
+ 	if (!re) {
+ 		RETURN_VALIDATION_FAILED
diff --git a/lang/php5/patches/patch-bg b/lang/php5/patches/patch-bg
new file mode 100644
index 00000000000..1f495e15882
--- /dev/null
+++ b/lang/php5/patches/patch-bg
@@ -0,0 +1,166 @@
+$NetBSD: patch-bg,v 1.1 2010/11/25 03:44:16 taca Exp $
+
+Fix for CVE-2010-3870 (a part of http://secunia.com/advisories/41724/):
+
+	http://svn.php.net/viewvc?view=revision&revision=305055
+
+--- ext/xml/xml.c.orig	2010-01-05 13:03:40.000000000 +0000
++++ ext/xml/xml.c
+@@ -554,10 +554,111 @@ PHPAPI char *xml_utf8_encode(const char 
+ }
+ /* }}} */
+ 
++/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
++#define MB_FAILURE(pos, advance) do { \
++	*cursor = pos + (advance); \
++	*status = FAILURE; \
++	return 0; \
++} while (0)
++
++#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
++#define utf8_lead(c)  ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
++#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
++
++/* {{{ php_next_utf8_char
++ */
++static inline unsigned int php_next_utf8_char(
++		const unsigned char *str,
++		size_t str_len,
++		size_t *cursor,
++		int *status)
++{
++	size_t pos = *cursor;
++	unsigned int this_char = 0;
++	unsigned char c;
++
++	*status = SUCCESS;
++
++	if (!CHECK_LEN(pos, 1))
++		MB_FAILURE(pos, 1);
++
++	/* We'll follow strategy 2. from section 3.6.1 of UTR #36:
++		* "In a reported illegal byte sequence, do not include any
++		*  non-initial byte that encodes a valid character or is a leading
++		*  byte for a valid sequence. */
++	c = str[pos];
++	if (c < 0x80) {
++		this_char = c;
++		pos++;
++	} else if (c < 0xc2) {
++		MB_FAILURE(pos, 1);
++	} else if (c < 0xe0) {
++		if (!CHECK_LEN(pos, 2))
++			MB_FAILURE(pos, 1);
++
++		if (!utf8_trail(str[pos + 1])) {
++			MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
++		}
++		this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
++		if (this_char < 0x80) { /* non-shortest form */
++			MB_FAILURE(pos, 2);
++		}
++		pos += 2;
++	} else if (c < 0xf0) {
++		size_t avail = str_len - pos;
++
++		if (avail < 3 ||
++				!utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
++			if (avail < 2 || utf8_lead(str[pos + 1]))
++				MB_FAILURE(pos, 1);
++			else if (avail < 3 || utf8_lead(str[pos + 2]))
++				MB_FAILURE(pos, 2);
++			else
++				MB_FAILURE(pos, 3);
++		}
++
++		this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
++		if (this_char < 0x800) { /* non-shortest form */
++			MB_FAILURE(pos, 3);
++		} else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
++			MB_FAILURE(pos, 3);
++		}
++		pos += 3;
++	} else if (c < 0xf5) {
++		size_t avail = str_len - pos;
++
++		if (avail < 4 ||
++				!utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
++				!utf8_trail(str[pos + 3])) {
++			if (avail < 2 || utf8_lead(str[pos + 1]))
++				MB_FAILURE(pos, 1);
++			else if (avail < 3 || utf8_lead(str[pos + 2]))
++				MB_FAILURE(pos, 2);
++			else if (avail < 4 || utf8_lead(str[pos + 3]))
++				MB_FAILURE(pos, 3);
++			else
++				MB_FAILURE(pos, 4);
++		}
++
++		this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
++		if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
++			MB_FAILURE(pos, 4);
++		}
++		pos += 4;
++	} else {
++		MB_FAILURE(pos, 1);
++	}
++
++	*cursor = pos;
++	return this_char;
++}
++/* }}} */
++
++
+ /* {{{ xml_utf8_decode */
+ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
+ {
+-	int pos = len;
++	size_t pos = 0;
+ 	char *newbuf = emalloc(len + 1);
+ 	unsigned int c;
+ 	char (*decoder)(unsigned short) = NULL;
+@@ -576,36 +677,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
+ 		newbuf[*newlen] = '\0';
+ 		return newbuf;
+ 	}
+-	while (pos > 0) {
+-		c = (unsigned char)(*s);
+-		if (c >= 0xf0) { /* four bytes encoded, 21 bits */
+-			if(pos-4 >= 0) {
+-				c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+-			} else {
+-				c = '?';	
+-			}
+-			s += 4;
+-			pos -= 4;
+-		} else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
+-			if(pos-3 >= 0) {
+-				c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+-			} else {
+-				c = '?';
+-			}
+-			s += 3;
+-			pos -= 3;
+-		} else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
+-			if(pos-2 >= 0) {
+-				c = ((s[0]&63)<<6) | (s[1]&63);
+-			} else {
+-				c = '?';
+-			}
+-			s += 2;
+-			pos -= 2;
+-		} else {
+-			s++;
+-			pos--;
++
++	while (pos < (size_t)len) {
++		int status = FAILURE;
++		c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
++
++		if (status == FAILURE || c > 0xFFU) {
++			c = '?';
+ 		}
++
+ 		newbuf[*newlen] = decoder ? decoder(c) : c;
+ 		++*newlen;
+ 	}
author	taca <taca@pkgsrc.org>	2010-11-25 03:44:16 +0000
committer	taca <taca@pkgsrc.org>	2010-11-25 03:44:16 +0000
commit	d90702e547c0fa15651f23fdb99e992c3b61a9f4 (patch)
tree	e11cba2f042ff9b12c9e3be87d4d6f6eedf4d67d /lang
parent	43e96d0eb12c2d39d409ffa74f1901dde30a6ce1 (diff)
download	pkgsrc-d90702e547c0fa15651f23fdb99e992c3b61a9f4.tar.gz