From 7b4e3d6456f97cc11cd0f19ce4009286b494c25b Mon Sep 17 00:00:00 2001
From: tron <tron>
Date: Sat, 25 Oct 2014 15:55:51 +0000
Subject: Pullup ticket #4526 - requested by taca graphics/php-exif: security
 patch lang/php53: security patch net/php-xmlrpc: security patch

Revisions pulled up:
- graphics/php-exif/Makefile                                    1.13
- lang/php53/Makefile                                           1.50
- lang/php53/distinfo                                           1.77
- lang/php53/patches/patch-ext_exif_exif.c                      1.3
- lang/php53/patches/patch-ext_standard_var__unserializer.c     1.1
- lang/php53/patches/patch-ext_standard_var__unserializer.re    1.1
- lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c        1.1
- net/php-xmlrpc/Makefile                                       1.17

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Oct 23 16:18:48 UTC 2014

   Modified Files:
   	pkgsrc/lang/php53: Makefile distinfo
   Added Files:
   	pkgsrc/lang/php53/patches: patch-ext_exif_exif.c
   	    patch-ext_standard_var__unserializer.c
   	    patch-ext_standard_var__unserializer.re
   	    patch-ext_xmlrpc_libxmlrpc_xmlrpc.c

   Log Message:
   Add patch for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670.

   Bump PKGREVISION.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Oct 23 16:20:04 UTC 2014

   Modified Files:
   	pkgsrc/graphics/php-exif: Makefile

   Log Message:
   Bump PKGREVISION for php53-exif update.  It also bump php54-exif and
   php55-exit as a side effect.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Oct 23 16:20:38 UTC 2014

   Modified Files:
   	pkgsrc/net/php-xmlrpc: Makefile

   Log Message:
   Bump PKGREVISION for php53-xmlrpc update.  It also bump php54-xmlrpc and
   php55-xmlrpc as a side effect.
---
 graphics/php-exif/Makefile                         |  3 +-
 lang/php53/Makefile                                |  3 +-
 lang/php53/distinfo                                |  6 ++-
 lang/php53/patches/patch-ext_exif_exif.c           | 20 ++++++++
 .../patches/patch-ext_standard_var__unserializer.c | 15 ++++++
 .../patch-ext_standard_var__unserializer.re        | 15 ++++++
 .../patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c    | 55 ++++++++++++++++++++++
 net/php-xmlrpc/Makefile                            |  3 +-
 8 files changed, 116 insertions(+), 4 deletions(-)
 create mode 100644 lang/php53/patches/patch-ext_exif_exif.c
 create mode 100644 lang/php53/patches/patch-ext_standard_var__unserializer.c
 create mode 100644 lang/php53/patches/patch-ext_standard_var__unserializer.re
 create mode 100644 lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c

diff --git a/graphics/php-exif/Makefile b/graphics/php-exif/Makefile
index 20f48bf45bf..1bb7252953c 100644
--- a/graphics/php-exif/Makefile
+++ b/graphics/php-exif/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.12 2012/10/06 14:11:13 asau Exp $
+# $NetBSD: Makefile,v 1.12.16.1 2014/10/25 15:55:51 tron Exp $
 
 MODNAME=		exif
+PKGREVISION=		1
 CATEGORIES+=		graphics
 COMMENT=		PHP extension to extract information from EXIF headers
 
diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index 87eae647d8d..06fdb594496 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.49 2014/08/15 16:09:16 taca Exp $
+# $NetBSD: Makefile,v 1.49.2.1 2014/10/25 15:55:51 tron Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php53/distinfo b/lang/php53/distinfo
index fbc6cf3ac01..05b6ebcf381 100644
--- a/lang/php53/distinfo
+++ b/lang/php53/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.76 2014/08/15 16:09:16 taca Exp $
+$NetBSD: distinfo,v 1.76.2.1 2014/10/25 15:55:51 tron Exp $
 
 SHA1 (php-5.3.29.tar.bz2) = 6e9e492c6d5853d063ddb9a4dbef60b8e5d87444
 RMD160 (php-5.3.29.tar.bz2) = e57beb4fdda41bca81b5856161bc97f3c5e3e9da
@@ -19,8 +19,12 @@ SHA1 (patch-ai) = 9659f73eef1b4fcca9b844bdaa785ac6d5e582a1
 SHA1 (patch-aj) = 181658ae523bd60f67750566711fc078b49191b7
 SHA1 (patch-al) = fe534d7d50a529e3c7d0ffed76afdb70bb55a521
 SHA1 (patch-build_libtool.m4) = 6835b90ebd34739440c8eb94ed19ebacdf2ba6a5
+SHA1 (patch-ext_exif_exif.c) = c78249a8ffae00bbdece2af9058e4ecf11cb0fa6
 SHA1 (patch-ext_gd_libgd_gdxpm.c) = 9a175417fad9ac23037a24122f8d1258b9eebbcb
 SHA1 (patch-ext_standard_basic__functions.c) = 017fd25e646af4d7eb2a0bd13b3c8da34eaee8c5
+SHA1 (patch-ext_standard_var__unserializer.c) = eb590c1d5349320e45bbdaf97c875b11eb275cfb
+SHA1 (patch-ext_standard_var__unserializer.re) = 23478a8a26c2c106efc4f0727743e2fffdebaf54
+SHA1 (patch-ext_xmlrpc_libxmlrpc_xmlrpc.c) = 9fd4004b4d94fcbf8d4104027018b46794bee127
 SHA1 (patch-main_streams_cast.c) = d68b69c9418a8780b1610b8755487771f7c46a5a
 SHA1 (patch-php__mssql.c) = 524c4e5d7ede0e503049bf1febec58e0c4a29aa4
 SHA1 (patch-sapi_fpm_fpm_events_port.c) = ad45bcebadf923ee8cb3f2ad4d78d21dd178a8e3
diff --git a/lang/php53/patches/patch-ext_exif_exif.c b/lang/php53/patches/patch-ext_exif_exif.c
new file mode 100644
index 00000000000..68983ed9e3d
--- /dev/null
+++ b/lang/php53/patches/patch-ext_exif_exif.c
@@ -0,0 +1,20 @@
+$NetBSD: patch-ext_exif_exif.c,v 1.3.2.2 2014/10/25 15:55:51 tron Exp $
+
+* Fix for CVE-2014-3670.
+
+--- ext/exif/exif.c.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/exif/exif.c
+@@ -2446,11 +2446,11 @@ static void* exif_ifd_make_value(image_i
+ 					data_ptr += 8;
+ 					break;
+ 				case TAG_FMT_SINGLE:
+-					memmove(data_ptr, &info_data->value.f, byte_count);
++					memmove(data_ptr, &info_value->f, 4);
+ 					data_ptr += 4;
+ 					break;
+ 				case TAG_FMT_DOUBLE:
+-					memmove(data_ptr, &info_data->value.d, byte_count);
++					memmove(data_ptr, &info_value->d, 8);
+ 					data_ptr += 8;
+ 					break;
+ 			}
diff --git a/lang/php53/patches/patch-ext_standard_var__unserializer.c b/lang/php53/patches/patch-ext_standard_var__unserializer.c
new file mode 100644
index 00000000000..f3c92e6ff76
--- /dev/null
+++ b/lang/php53/patches/patch-ext_standard_var__unserializer.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-ext_standard_var__unserializer.c,v 1.1.2.2 2014/10/25 15:55:51 tron Exp $
+
+* Fix for CVE-2014-3669.
+
+--- ext/standard/var_unserializer.c.orig	2014-08-13 19:27:30.000000000 +0000
++++ ext/standard/var_unserializer.c
+@@ -333,7 +333,7 @@ static inline int object_custom(UNSERIAL
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
diff --git a/lang/php53/patches/patch-ext_standard_var__unserializer.re b/lang/php53/patches/patch-ext_standard_var__unserializer.re
new file mode 100644
index 00000000000..0099328e68f
--- /dev/null
+++ b/lang/php53/patches/patch-ext_standard_var__unserializer.re
@@ -0,0 +1,15 @@
+$NetBSD: patch-ext_standard_var__unserializer.re,v 1.1.2.2 2014/10/25 15:55:51 tron Exp $
+
+* Fix for CVE-2014-3669.
+
+--- ext/standard/var_unserializer.re.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/standard/var_unserializer.re
+@@ -339,7 +339,7 @@ static inline int object_custom(UNSERIAL
+ 
+ 	(*p) += 2;
+ 
+-	if (datalen < 0 || (*p) + datalen >= max) {
++	if (datalen < 0 || (max - (*p)) <= datalen) {
+ 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
+ 		return 0;
+ 	}
diff --git a/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c b/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c
new file mode 100644
index 00000000000..83b961c8646
--- /dev/null
+++ b/lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c
@@ -0,0 +1,55 @@
+$NetBSD: patch-ext_xmlrpc_libxmlrpc_xmlrpc.c,v 1.1.2.2 2014/10/25 15:55:51 tron Exp $
+
+* Fix for CVE-2014-3668.
+
+--- ext/xmlrpc/libxmlrpc/xmlrpc.c.orig	2014-08-13 19:22:50.000000000 +0000
++++ ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_mon = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+4])
+       tm.tm_mon += (text[i+4]-'0')*n;
+       n /= 10;
+    }
+    tm.tm_mon --;
++   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++      return -1;
++   }
+ 
+    n = 10;
+    tm.tm_mday = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+6])
+       tm.tm_mday += (text[i+6]-'0')*n;
+       n /= 10;
+    }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_hour = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+9])
+       tm.tm_hour += (text[i+9]-'0')*n;
+       n /= 10;
+    }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_min = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+12])
+       tm.tm_min += (text[i+12]-'0')*n;
+       n /= 10;
+    }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char
+    n = 10;
+    tm.tm_sec = 0;
+    for(i = 0; i < 2; i++) {
+-      XMLRPC_IS_NUMBER(text[i])
++      XMLRPC_IS_NUMBER(text[i+15])
+       tm.tm_sec += (text[i+15]-'0')*n;
+       n /= 10;
+    }
diff --git a/net/php-xmlrpc/Makefile b/net/php-xmlrpc/Makefile
index a48ed852a63..91df6d3d199 100644
--- a/net/php-xmlrpc/Makefile
+++ b/net/php-xmlrpc/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.16 2012/10/23 17:18:58 asau Exp $
+# $NetBSD: Makefile,v 1.16.16.1 2014/10/25 15:55:51 tron Exp $
 
 MODNAME=		xmlrpc
+PKGREVISION=		1
 CATEGORIES+=		net
 COMMENT=		PHP extension for XML-RPC support
 
-- 
cgit v1.2.3