diff options
| author | adrianp <adrianp@pkgsrc.org> | 2006-08-10 23:01:39 +0000 |
|---|---|---|
| committer | adrianp <adrianp@pkgsrc.org> | 2006-08-10 23:01:39 +0000 |
| commit | c6db99b6c07a261d28c54b7a72701b42335de558 (patch) | |
| tree | d59b7364e4fe6b71d8762f640ac123b6edfb58ab /www/php4/patches | |
| parent | dd2923d1565489029d8f5d001e2178783e163c97 (diff) | |
| download | pkgsrc-c6db99b6c07a261d28c54b7a72701b42335de558.tar.gz | |
Update to 4.4.3
All PHP 4.x users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The release also includes about 20 bug fixes and an upgraded PCRE library
(version 6.6).
For a full list of changes in PHP 4.4.3, see the ChangeLog:
http://www.php.net/ChangeLog-4.php#4.4.3
This also contains a fix for CVE-2006-4020 (SA21403)
Diffstat (limited to 'www/php4/patches')
| -rw-r--r-- | www/php4/patches/patch-ao | 12 | ||||
| -rw-r--r-- | www/php4/patches/patch-aq | 13 | ||||
| -rw-r--r-- | www/php4/patches/patch-ar | 55 | ||||
| -rw-r--r-- | www/php4/patches/patch-as | 43 | ||||
| -rw-r--r-- | www/php4/patches/patch-au | 24 | ||||
| -rw-r--r-- | www/php4/patches/patch-av | 15 | ||||
| -rw-r--r-- | www/php4/patches/patch-aw | 83 |
7 files changed, 87 insertions, 158 deletions
diff --git a/www/php4/patches/patch-ao b/www/php4/patches/patch-ao index c1b4524a89e..f65f1fca145 100644 --- a/www/php4/patches/patch-ao +++ b/www/php4/patches/patch-ao @@ -1,13 +1,9 @@ -$NetBSD: patch-ao,v 1.2 2006/03/06 15:57:58 cube Exp $ +$NetBSD: patch-ao,v 1.3 2006/08/10 23:01:39 adrianp Exp $ ---- pear/Makefile.frag.orig 2005-11-05 19:19:23.000000000 +0100 +--- pear/Makefile.frag.orig 2006-05-07 17:33:41.000000000 +0100 +++ pear/Makefile.frag -@@ -3,10 +3,10 @@ - peardir=$(PEAR_INSTALLDIR) - - # Skip all php.ini files altogether --PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0 -+PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0 -dmemory_limit=16M +@@ -6,7 +6,7 @@ peardir=$(PEAR_INSTALLDIR) + PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dopen_basedir= -dsafe_mode=0 -dmemory_limit=-1 install-pear-packages: $(top_builddir)/sapi/cli/php - @$(top_builddir)/sapi/cli/php $(PEAR_INSTALL_FLAGS) $(srcdir)/install-pear.php -d "$(peardir)" -b "$(bindir)" $(srcdir)/packages/*.tar diff --git a/www/php4/patches/patch-aq b/www/php4/patches/patch-aq deleted file mode 100644 index f173fc82dc2..00000000000 --- a/www/php4/patches/patch-aq +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-aq,v 1.1 2006/04/14 13:48:33 cube Exp $ - ---- ext/standard/html.c.orig 2006-01-01 14:46:57.000000000 +0100 -+++ ext/standard/html.c -@@ -793,7 +793,7 @@ PHPAPI char *php_unescape_html_entities( - enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC); - unsigned char replacement[15]; - -- ret = estrdup(old); -+ ret = estrndup(old, oldlen); - retlen = oldlen; - if (!retlen) { - goto empty_source; diff --git a/www/php4/patches/patch-ar b/www/php4/patches/patch-ar deleted file mode 100644 index bfdc845b1b0..00000000000 --- a/www/php4/patches/patch-ar +++ /dev/null @@ -1,55 +0,0 @@ -$NetBSD: patch-ar,v 1.1 2006/04/14 13:48:33 cube Exp $ - ---- ext/standard/info.c.orig 2006-01-01 14:46:57.000000000 +0100 -+++ ext/standard/info.c -@@ -58,6 +58,23 @@ ZEND_EXTERN_MODULE_GLOBALS(iconv) - - PHPAPI extern char *php_ini_opened_path; - PHPAPI extern char *php_ini_scanned_files; -+ -+static int php_info_write_wrapper(const char *str, uint str_length) -+{ -+ int new_len, written; -+ char *elem_esc; -+ -+ TSRMLS_FETCH(); -+ -+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); -+ -+ written = php_body_write(elem_esc, new_len TSRMLS_CC); -+ -+ efree(elem_esc); -+ -+ return written; -+} -+ - - /* {{{ _display_module_info - */ -@@ -133,23 +150,12 @@ static void php_print_gpcse_array(char * - PUTS(" => "); - } - if (Z_TYPE_PP(tmp) == IS_ARRAY) { -- zval *tmp3; -- MAKE_STD_ZVAL(tmp3); - if (!sapi_module.phpinfo_as_text) { - PUTS("<pre>"); -- } -- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); -- zend_print_zval_r(*tmp, 0); -- php_ob_get_buffer(tmp3 TSRMLS_CC); -- php_end_ob_buffer(0, 0 TSRMLS_CC); -- -- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); -- PUTS(elem_esc); -- efree(elem_esc); -- zval_ptr_dtor(&tmp3); -- -- if (!sapi_module.phpinfo_as_text) { -+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0); - PUTS("</pre>"); -+ } else { -+ zend_print_zval_r(*tmp, 0 TSRMLS_CC); - } - } else if (Z_TYPE_PP(tmp) != IS_STRING) { - tmp2 = **tmp; diff --git a/www/php4/patches/patch-as b/www/php4/patches/patch-as deleted file mode 100644 index 984a8a3b7aa..00000000000 --- a/www/php4/patches/patch-as +++ /dev/null @@ -1,43 +0,0 @@ -$NetBSD: patch-as,v 1.1 2006/04/14 13:48:33 cube Exp $ - ---- ext/standard/file.c.orig 2006-01-01 14:46:57.000000000 +0100 -+++ ext/standard/file.c -@@ -552,7 +552,7 @@ PHP_FUNCTION(tempnam) - pval **arg1, **arg2; - char *d; - char *opened_path; -- char p[64]; -+ char *p; - FILE *fp; - - if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { -@@ -566,7 +566,11 @@ PHP_FUNCTION(tempnam) - } - - d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); -- strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p)); -+ -+ p = php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0); -+ if (strlen(p) > 64) { -+ p[63] = '\0'; -+ } - - if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) { - fclose(fp); -@@ -574,6 +578,7 @@ PHP_FUNCTION(tempnam) - } else { - RETVAL_FALSE; - } -+ efree(p); - efree(d); - } - /* }}} */ -@@ -2196,7 +2201,7 @@ no_stat: - safe_to_copy: - - srcstream = php_stream_open_wrapper(src, "rb", -- STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, -+ ENFORCE_SAFE_MODE | REPORT_ERRORS, - NULL); - - if (!srcstream) diff --git a/www/php4/patches/patch-au b/www/php4/patches/patch-au deleted file mode 100644 index 8f7483c3602..00000000000 --- a/www/php4/patches/patch-au +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-au,v 1.1 2006/07/18 21:21:19 adrianp Exp $ - -# This is CVE-2006-1990 - ---- ext/standard/string.c.orig 2006-01-01 13:46:58.000000000 +0000 -+++ ext/standard/string.c -@@ -672,15 +672,13 @@ PHP_FUNCTION(wordwrap) - /* Multiple character line break or forced cut */ - if (linelength > 0) { - chk = (int)(textlen/linelength + 1); -+ newtext = safe_emalloc(chk, breakcharlen, textlen + 1); - alloced = textlen + chk * breakcharlen + 1; - } else { - chk = textlen; -+ newtext = safe_emalloc(textlen, (breakcharlen + 1), 1); - alloced = textlen * (breakcharlen + 1) + 1; - } -- if (alloced <= 0) { -- RETURN_FALSE; -- } -- newtext = emalloc(alloced); - - /* now keep track of the actual new text length */ - newtextlen = 0; diff --git a/www/php4/patches/patch-av b/www/php4/patches/patch-av deleted file mode 100644 index 52040a157ef..00000000000 --- a/www/php4/patches/patch-av +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-av,v 1.1 2006/07/18 21:21:19 adrianp Exp $ - -# This is CVE-2006-3011 - ---- ext/standard/basic_functions.c.orig 2006-01-01 13:46:57.000000000 +0000 -+++ ext/standard/basic_functions.c -@@ -1866,7 +1866,7 @@ PHPAPI int _php_error_log(int opt_err, c - break; - - case 3: /*save to a file */ -- stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); -+ stream = php_stream_open_wrapper(opt, "a", IGNORE_URL_WIN | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); - if (!stream) - return FAILURE; - php_stream_write(stream, message, strlen(message)); diff --git a/www/php4/patches/patch-aw b/www/php4/patches/patch-aw new file mode 100644 index 00000000000..10ea46cce89 --- /dev/null +++ b/www/php4/patches/patch-aw @@ -0,0 +1,83 @@ +--- ext/standard/scanf.c.orig 2006-01-01 13:46:58.000000000 +0000 ++++ ext/standard/scanf.c 2006-08-10 23:00:19.000000000 +0100 +@@ -732,7 +732,7 @@ + if (*end == '$') { + format = end+1; + ch = format++; +- objIndex = varStart + value; ++ objIndex = varStart + value - 1; + } + } + +@@ -762,8 +762,10 @@ + switch (*ch) { + case 'n': + if (!(flags & SCAN_SUPPRESS)) { +- if (numVars) { +- current = args[objIndex++]; ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { ++ current = args[objIndex++]; + zval_dtor( *current ); + ZVAL_LONG( *current, (long)(string - baseString) ); + } else { +@@ -883,8 +885,10 @@ + } + } + if (!(flags & SCAN_SUPPRESS)) { +- if (numVars) { +- current = args[objIndex++]; ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { ++ current = args[objIndex++]; + zval_dtor( *current ); + ZVAL_STRINGL( *current, string, end-string, 1); + } else { +@@ -922,7 +926,9 @@ + goto done; + } + if (!(flags & SCAN_SUPPRESS)) { +- if (numVars) { ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { + current = args[objIndex++]; + zval_dtor( *current ); + ZVAL_STRINGL( *current, string, end-string, 1); +@@ -1079,8 +1085,10 @@ + value = (int) (*fn)(buf, NULL, base); + if ((flags & SCAN_UNSIGNED) && (value < 0)) { + sprintf(buf, "%u", value); /* INTL: ISO digit */ +- if (numVars) { +- /* change passed value type to string */ ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { ++ /* change passed value type to string */ + current = args[objIndex++]; + convert_to_string( *current ); + ZVAL_STRING( *current, buf, 1 ); +@@ -1088,7 +1096,9 @@ + add_index_string(*return_value, objIndex++, buf, 1); + } + } else { +- if (numVars) { ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { + current = args[objIndex++]; + convert_to_long( *current ); + Z_LVAL(**current) = value; +@@ -1196,7 +1206,9 @@ + double dvalue; + *end = '\0'; + dvalue = zend_strtod(buf, NULL); +- if (numVars) { ++ if (numVars && objIndex >= argCount) { ++ break; ++ } else if (numVars) { + current = args[objIndex++]; + convert_to_double( *current ); + Z_DVAL_PP( current ) = dvalue; |