From 48e58cae74debbae158c641f5fdc9e2a7e7b308f Mon Sep 17 00:00:00 2001 From: taca Date: Wed, 15 Jun 2011 14:41:16 +0000 Subject: Add two security fix, CVE-2011-1938 and filename-injection from PHP 5.3's repository. Bump PKGREVISION. --- lang/php53/patches/patch-ext_sockets_sockets.c | 18 ++++++++++++++++++ lang/php53/patches/patch-main_rfc1867.c | 24 ++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 lang/php53/patches/patch-ext_sockets_sockets.c create mode 100644 lang/php53/patches/patch-main_rfc1867.c (limited to 'lang/php53/patches') diff --git a/lang/php53/patches/patch-ext_sockets_sockets.c b/lang/php53/patches/patch-ext_sockets_sockets.c new file mode 100644 index 00000000000..5df4f25324a --- /dev/null +++ b/lang/php53/patches/patch-ext_sockets_sockets.c @@ -0,0 +1,18 @@ +$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:42:03 taca Exp $ + +* Update of r311369 of PHP's repository, fix for CVE-2011-1938. + +--- ext/sockets/sockets.c.orig 2011-01-01 02:19:59.000000000 +0000 ++++ ext/sockets/sockets.c +@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect) + break; + + case AF_UNIX: ++ if (addr_len >= sizeof(s_un.sun_path)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); ++ RETURN_FALSE; ++ } ++ + memset(&s_un, 0, sizeof(struct sockaddr_un)); + + s_un.sun_family = AF_UNIX; diff --git a/lang/php53/patches/patch-main_rfc1867.c b/lang/php53/patches/patch-main_rfc1867.c new file mode 100644 index 00000000000..4d0e54edc84 --- /dev/null +++ b/lang/php53/patches/patch-main_rfc1867.c @@ -0,0 +1,24 @@ +$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:42:03 taca Exp $ + +* Update of r312103 of PHP's repository, fix filename-injection vulnerability. + +--- main/rfc1867.c.orig 2011-01-19 13:09:05.000000000 +0000 ++++ main/rfc1867.c +@@ -1223,7 +1223,7 @@ filedone: + #endif + + if (!is_anonymous) { +- if (s && s > filename) { ++ if (s && s >= filename) { + safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); + } else { + safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); +@@ -1236,7 +1236,7 @@ filedone: + } else { + snprintf(lbuf, llen, "%s[name]", param); + } +- if (s && s > filename) { ++ if (s && s >= filename) { + register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); + } else { + register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); -- cgit v1.2.3