6 files changed, 134 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog
index 7ead25814..275014b8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+php5 (5.0.5-2) unstable; urgency=medium
+
+  * Remove Andres Salomon from the Uploaders field, at his request.  Thanks
+    for all your work on the PHP packages, Andres, now fix our kernel bugs.
+  * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
+    is set to "/foo/", users can access files in "/foobar/", which is not the
+    documented behaviour; this addresses CAN-2005-3054 (see: #323585)
+  * Add 104-64_bit_serialize.patch from Joe Orton, resolving a segfault when
+    serializing objects on all 64-bit architectures (closes: #329768)
+  * Add 105-64_bit_imagettftext.patch, fixing a type mismatch in the GD
+    extension, causing memory corruption on 64-bit arches (closes: #331001)
+  * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
+    checks to the _php_image_output and _php_image_output_ctx GD functions.
+  * Make php-pear Provide, Replace, and Conflict php-html-template-it, which
+    we appear to have absorbed into the main PEAR packaging (closes: #332393)
+
+ -- Adam Conrad <adconrad@0c3.net>  Tue, 27 Sep 2005 16:09:29 +1000
+
 php5 (5.0.5-1) unstable; urgency=low
 
   * New upstream release, adjust patch offsets and fuzz, and drop patches:
@@ -5,6 +23,7 @@ php5 (5.0.5-1) unstable; urgency=low
     - Drop 051-gcc-4.0.patch, fixed differently upstream.
     - Drop 102-php_streams.patch, fixed upstream.
     - Drop 103-catch_segv.patch, also fixed upstream.
+    - Includes PEAR XML_RPC fix for CAN-2005-2498.
   * Distribute the shiny new manpages for php-config and phpize.
 
  -- Adam Conrad <adconrad@0c3.net>  Mon, 12 Sep 2005 02:29:24 +1000
@@ -41,7 +60,8 @@ php5 (5.0.4-3) unstable; urgency=low
   * Make libapache2-mod-php5 the default alternate dependency for the php5
     metapackage, since we really do want to encourage the apache upgrade. 
   * Make php5-dev stop shipping copies of files from autotools-dev, shtool,
-    and libtool, and instead symlink to them and depend on those packages.
+    and libtool, and instead symlink to them and depend on those packages,
+    thus avoiding the shtool issues from CAN-2005-1751 and CAN-2005-1759.
 
  -- Adam Conrad <adconrad@0c3.net>  Sun, 31 Jul 2005 03:05:08 +1000
 
@@ -272,6 +292,8 @@ php4 (4:4.3.10-4) unstable; urgency=medium
 php4 (4:4.3.10-3) unstable; urgency=medium
 
   * Update to CVS, as of 200502060530 (closes: #288672)
+    - Fixes two vulnerabilities in exif.c, CAN-2005-1042 and CAN-2005-1043
+    - Fixes two vulnerabilities in image.c, CAN-2005-0524 and CAN-2005-0525
     - File uploads with "'" in them aren't cut off anymore (closes: #288679)
     - unserialize() is no longer ridiculously slow (closes: #291392)
     - Add 000-200502060530_CVS.patch
@@ -363,7 +385,8 @@ php4 (4:4.3.9-1) unstable; urgency=high
     023-4.3.9_array_fixes.patch, 024-4.3.9_glob_fix.patch,
     and 025-4.3.9_domxml_segfaults.patch
   * Resolves undiscolsed vulnerabilities in GPC processing and rfc1867
-    handling of file uploads via the $_FILES array (closes: #274206)
+    handling of file uploads via the $_FILES array; these have since
+    been assigned CVE CAN-2004-0958 and CAN-2004-0959 (closes: #274206)
   * After some fairly heavy testing from several users and developers,
     finally update php4-snmp to use libsnmp5 (closes: #195929)
   * Add 026-4.3.10_session_fixes.patch from CVS, which prevents PHP
@@ -638,6 +661,7 @@ php4 (4:4.3.8-1) unstable; urgency=low
       + Added missing safe_mode checks inside ftok and itpc.
       + Fixed address allocation routine in IMAP extension.
       + Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL.
+      + Fixes DoS in readfile() function, see CAN-2005-0596.
     - php4-pear now includes PEAR::Mail 1.1.3 (closes: #257688)
     - debian/control: change libpng3-dev build-dep to libpng12-dev
     - Add Turkish debconf translation, thanks to Osman Yuksel.
diff --git a/debian/control b/debian/control
index 7b64c2244..64262f5ae 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: php5
 Section: web
 Priority: optional
 Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
-Uploaders: Adam Conrad <adconrad@0c3.net>, Steve Langasek <vorlon@debian.org>, Andres Salomon <dilinger@debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, Ondřej Surý <ondrej@debian.org>
+Uploaders: Adam Conrad <adconrad@0c3.net>, Steve Langasek <vorlon@debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, Ondřej Surý <ondrej@debian.org>
 Build-Depends: apache-dev (>= 1.3.23), apache2-prefork-dev (>= 2.0.53-3), autoconf, automake1.4, bison, chrpath, debhelper (>= 3), flex (>= 2.5.4), freetds-dev, po-debconf, libbz2-dev (>= 1.0.0), libcurl3-dev, libdb4.2-dev, libexpat1-dev (>= 1.95.2-2.1), libfreetype6-dev, libgcrypt11-dev, libgd2-xpm-dev (>= 2.0.28-3), libgdbm-dev, libjpeg62-dev, libkrb5-dev, libldap2-dev, libmhash-dev (>= 0.8.8), libmysqlclient12-dev, libncurses5-dev, libpam0g-dev, libpcre3-dev (>= 4.3-1), libpng12-dev, libpq-dev | postgresql-dev, librecode-dev, libsnmp9-dev | libsnmp-dev, libsqlite0-dev, libssl-dev (>= 0.9.6), libt1-dev, libtool (>= 1.4.2-4), libwrap0-dev, libxmltok1-dev, libxml2-dev (>= 2.4.14), libxslt1-dev (>= 1.0.18), re2c, unixodbc-dev, zlib1g-dev (>= 1.0.9)
 Build-Conflicts: bind-dev
 Standards-Version: 3.6.2
@@ -147,7 +147,9 @@ Description: Files for PHP5 module development
 Package: php-pear
 Architecture: all
 Depends: php5-cli | php4-cli, php5-common (>= ${Source-Version})
-Replaces: php4-pear (<< 4:4.4.0-0)
+Replaces: php4-pear (<< 4:4.4.0-0), php-html-template-it
+Provides: php-html-template-it
+Conflicts: php-html-template-it
 Description: PEAR - PHP Extension and Application Repository
  This package contains the base PEAR classes for PHP, as well as the PEAR
  installer.  Many PEAR classes are already packaged for Debian, and can be
diff --git a/debian/patches/054-open_basedir_slash.patch b/debian/patches/054-open_basedir_slash.patch
new file mode 100644
index 000000000..202d06e1f
--- /dev/null
+++ b/debian/patches/054-open_basedir_slash.patch
@@ -0,0 +1,13 @@
+--- php-5.0.5/main/fopen_wrappers.c	2005-07-16 12:14:44.000000000 +0000
++++ php-5.0.5/main/fopen_wrappers.c	2005-09-26 09:07:55.000000000 +0000
+@@ -109,8 +109,8 @@
+ 		/* Handler for basedirs that end with a / */
+ 		resolved_basedir_len = strlen(resolved_basedir);
+ 		if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
+-			if (resolved_basedir[resolved_basedir_len - 1] == '/') {
+-				resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
++			if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
++				resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
+ 				resolved_basedir[++resolved_basedir_len] = '\0';
+ 			}
+ 		}
diff --git a/debian/patches/055-gd_safe_mode_checks.patch b/debian/patches/055-gd_safe_mode_checks.patch
new file mode 100644
index 000000000..db02ad932
--- /dev/null
+++ b/debian/patches/055-gd_safe_mode_checks.patch
@@ -0,0 +1,32 @@
+===================================================================
+RCS file: /repository/php-src/ext/gd/gd.c,v
+retrieving revision 1.294.2.12
+retrieving revision 1.294.2.13
+diff -p --unified=3 -r1.294.2.12 -r1.294.2.13
+--- php-5.0.5/ext/gd/gd.c	2005/05/06 16:49:04	1.294.2.12
++++ php-5.0.5/ext/gd/gd.c	2005/10/06 20:42:56	1.294.2.13
+@@ -1726,7 +1726,7 @@ static void _php_image_output(INTERNAL_F
+ 	}
+
+ 	if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+-		if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
++		if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
+ 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
+ 			RETURN_FALSE;
+ 		}
+===================================================================
+RCS file: /repository/php-src/ext/gd/gd_ctx.c,v
+retrieving revision 1.20
+retrieving revision 1.20.2.1
+diff -p --unified=3 -r1.20 -r1.20.2.1
+--- php-5.0.5/ext/gd/gd_ctx.c	2004/01/28 16:25:12	1.20
++++ php-5.0.5/ext/gd/gd_ctx.c	2005/10/06 20:42:56	1.20.2.1
+@@ -82,7 +82,7 @@ static void _php_image_output_ctx(INTERN
+ 	}
+
+ 	if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+-		if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
++		if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
+ 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
+ 			RETURN_FALSE;
+ 		}
diff --git a/debian/patches/104-64_bit_serialize.patch b/debian/patches/104-64_bit_serialize.patch
new file mode 100644
index 000000000..fb6994e33
--- /dev/null
+++ b/debian/patches/104-64_bit_serialize.patch
@@ -0,0 +1,42 @@
+--- php-5.0.4/ext/standard/incomplete_class.c.bug34435	2004-11-25 20:28:37.000000000 +0000
++++ php-5.0.4/ext/standard/incomplete_class.c	2005-09-09 13:00:39.000000000 +0100
+@@ -122,7 +122,7 @@
+ 
+ /* {{{ php_lookup_class_name
+  */
+-char *php_lookup_class_name(zval *object, size_t *nlen)
++char *php_lookup_class_name(zval *object, zend_uint *nlen)
+ {
+ 	zval **val;
+ 	char *retval = NULL;
+@@ -144,7 +144,7 @@
+ 
+ /* {{{ php_store_class_name
+  */
+-void php_store_class_name(zval *object, const char *name, size_t len)
++void php_store_class_name(zval *object, const char *name, zend_uint len)
+ {
+ 	zval *val;
+ 	TSRMLS_FETCH();
+--- php-5.0.4/ext/standard/php_incomplete_class.h.bug34435	2005-06-29 10:29:08.000000000 +0100
++++ php-5.0.4/ext/standard/php_incomplete_class.h	2005-09-09 13:00:31.000000000 +0100
+@@ -42,7 +42,7 @@
+ 
+ #define PHP_CLASS_ATTRIBUTES											\
+ 	char *class_name;													\
+-	size_t name_len;													\
++	zend_uint name_len;													\
+ 	zend_bool free_class_name = 0;										\
+ 	zend_bool incomplete_class = 0
+ 
+@@ -55,8 +55,8 @@
+ 	
+ zend_class_entry *php_create_incomplete_class(TSRMLS_D);
+ 
+-char *php_lookup_class_name(zval *object, size_t *nlen);
+-void  php_store_class_name(zval *object, const char *name, size_t len);
++char *php_lookup_class_name(zval *object, zend_uint *nlen);
++void  php_store_class_name(zval *object, const char *name, zend_uint len);
+ 
+ #ifdef __cplusplus
+ };
diff --git a/debian/patches/105-64_bit_imagettftext.patch b/debian/patches/105-64_bit_imagettftext.patch
new file mode 100644
index 000000000..15d9018fc
--- /dev/null
+++ b/debian/patches/105-64_bit_imagettftext.patch
@@ -0,0 +1,17 @@
+===================================================================
+RCS file: /repository/php-src/ext/gd/gd.c,v
+retrieving revision 1.307
+retrieving revision 1.308
+diff -p --unified=3 -r1.307 -r1.308
+--- php-5.0.4/ext/gd/gd.c	2005/03/27 23:43:51	1.307
++++ php-5.0.4/ext/gd/gd.c	2005/04/10 21:37:16	1.308
+@@ -3109,7 +3109,8 @@ static void php_imagettftext_common(INTE
+ {
+ 	zval *IM, *EXT = NULL;
+ 	gdImagePtr im=NULL;
+-	int col = -1, x = -1, y = -1, str_len, fontname_len, i, brect[8];
++	long col = -1, x = -1, y = -1;
++	int str_len, fontname_len, i, brect[8];
+ 	double ptsize, angle;
+ 	unsigned char *str = NULL, *fontname = NULL;
+ 	char *error = NULL;