pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2006Q1]: pkgsrc Pullup ticket 1406 - requested by cube
details: https://anonhg.NetBSD.org/pkgsrc/rev/66420bc7d765
branches: pkgsrc-2006Q1
changeset: 510222:66420bc7d765
user: salo <salo%pkgsrc.org@localhost>
date: Wed Apr 19 00:12:27 2006 +0000
description:
Pullup ticket 1406 - requested by cube
security fixes for php
Revisions pulled up:
- pkgsrc/lang/php5/Makefile 1.29
- pkgsrc/lang/php5/Makefile.php 1.18
- pkgsrc/lang/php5/distinfo 1.15
- pkgsrc/lang/php5/patches/patch-ap 1.1
- pkgsrc/lang/php5/patches/patch-aq 1.1
- pkgsrc/lang/php5/patches/patch-ar 1.1
- pkgsrc/www/php4/Makefile 1.63
- pkgsrc/www/php4/distinfo 1.52
- pkgsrc/www/php4/patches/patch-aq 1.1
- pkgsrc/www/php4/patches/patch-ar 1.1
- pkgsrc/www/php4/patches/patch-as 1.1
- pkgsrc/www/ap-php/Makefile 1.9
Module Name: pkgsrc
Committed By: cube
Date: Fri Apr 14 13:47:30 UTC 2006
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.php distinfo
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php4: Makefile distinfo
Log Message:
PHP4/5 security changes... They're not critical issues; secunia classes
them between "not critical" and "less critical".
Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490.
See:
http://secunia.com/advisories/19383/
http://secunia.com/advisories/19599/
Patches were extracted from CVS. I had to translate the one for
CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch
(I don't know why; I can confirm it fixes the issue).
While here, add PATCHDIR to the list of variables php5's Makefile.php
defines. That way, ap-php gets patched too...
---
Module Name: pkgsrc
Committed By: cube
Date: Fri Apr 14 13:48:33 UTC 2006
Added Files:
pkgsrc/lang/php5/patches: patch-ap patch-aq patch-ar
pkgsrc/www/php4/patches: patch-aq patch-ar patch-as
Log Message:
The actual patches for PHP4/5.
diffstat:
lang/php5/Makefile | 4 +-
lang/php5/Makefile.php | 3 +-
lang/php5/distinfo | 5 +++-
lang/php5/patches/patch-ap | 13 +++++++++
lang/php5/patches/patch-aq | 45 +++++++++++++++++++++++++++++++++
lang/php5/patches/patch-ar | 61 ++++++++++++++++++++++++++++++++++++++++++++++
www/ap-php/Makefile | 4 +-
www/php4/Makefile | 3 +-
www/php4/distinfo | 5 +++-
www/php4/patches/patch-aq | 13 +++++++++
www/php4/patches/patch-ar | 55 +++++++++++++++++++++++++++++++++++++++++
www/php4/patches/patch-as | 43 ++++++++++++++++++++++++++++++++
12 files changed, 246 insertions(+), 8 deletions(-)
diffs (truncated from 340 to 300 lines):
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/Makefile
--- a/lang/php5/Makefile Tue Apr 18 23:31:30 2006 +0000
+++ b/lang/php5/Makefile Wed Apr 19 00:12:27 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.28 2006/02/17 09:48:01 adam Exp $
+# $NetBSD: Makefile,v 1.28.2.1 2006/04/19 00:12:27 salo Exp $
PKGNAME= php-${PHP_BASE_VERS}
-#PKGREVISION= 1
+PKGREVISION= 1
CATEGORIES= lang
HOMEPAGE= http://www.php.net/
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/Makefile.php
--- a/lang/php5/Makefile.php Tue Apr 18 23:31:30 2006 +0000
+++ b/lang/php5/Makefile.php Wed Apr 19 00:12:27 2006 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile.php,v 1.17 2005/12/05 23:55:10 rillig Exp $
+# $NetBSD: Makefile.php,v 1.17.4.1 2006/04/19 00:12:27 salo Exp $
#
.include "../../lang/php5/Makefile.common"
DISTINFO_FILE= ${.CURDIR}/../../lang/php5/distinfo
+PATCHDIR= ${.CURDIR}/../../lang/php5/patches
BUILD_DEFS+= USE_INET6
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/distinfo
--- a/lang/php5/distinfo Tue Apr 18 23:31:30 2006 +0000
+++ b/lang/php5/distinfo Wed Apr 19 00:12:27 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2006/02/06 06:39:59 martti Exp $
+$NetBSD: distinfo,v 1.14.2.1 2006/04/19 00:12:27 salo Exp $
SHA1 (php-5.1.2.tar.bz2) = f6acc67c293345ad22065768f3049834cb8a912e
RMD160 (php-5.1.2.tar.bz2) = 1e21b5ba280b7efc8197802c673bb5d4e9dc9f8e
@@ -8,3 +8,6 @@
SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
SHA1 (patch-ak) = 2d5264d33ebef631d4a2d0cdf8a2ed365bdbeb7e
SHA1 (patch-ao) = 60fec83647ca5924a38bf4d5e8abb51feba1620e
+SHA1 (patch-ap) = 79bb4da2c98cc5dc43e66d1a7a940b34401b3811
+SHA1 (patch-aq) = 3dede277476e99d927a5333d82ae9096b96e58f7
+SHA1 (patch-ar) = 819b84c4dbb9973159d2c2fe11f77044f6b4d0b9
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/patches/patch-ap
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-ap Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ap,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/html.c.orig 2006-01-01 13:50:14.000000000 +0100
++++ ext/standard/html.c
+@@ -884,7 +884,7 @@ PHPAPI char *php_unescape_html_entities(
+ unsigned char replacement[15];
+ int replacement_len;
+
+- ret = estrdup(old);
++ ret = estrndup(old, oldlen);
+ retlen = oldlen;
+ if (!retlen) {
+ goto empty_source;
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/patches/patch-aq
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-aq Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,45 @@
+$NetBSD: patch-aq,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/file.c.orig 2006-01-01 13:50:14.000000000 +0100
++++ ext/standard/file.c
+@@ -773,8 +773,9 @@ PHP_FUNCTION(tempnam)
+ zval **arg1, **arg2;
+ char *d;
+ char *opened_path;
+- char p[64];
++ char *p;
+ int fd;
++ size_t p_len;
+
+ if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
+ WRONG_PARAM_COUNT;
+@@ -787,7 +788,11 @@ PHP_FUNCTION(tempnam)
+ }
+
+ d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
+- strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
++
++ php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC);
++ if (p_len > 64) {
++ p[63] = '\0';
++ }
+
+ if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
+ close(fd);
+@@ -795,6 +800,7 @@ PHP_FUNCTION(tempnam)
+ } else {
+ RETVAL_FALSE;
+ }
++ efree(p);
+ efree(d);
+ }
+ /* }}} */
+@@ -1756,7 +1762,7 @@ no_stat:
+ }
+ safe_to_copy:
+
+- srcstream = php_stream_open_wrapper(src, "rb", STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, NULL);
++ srcstream = php_stream_open_wrapper(src, "rb", ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
+
+ if (!srcstream) {
+ return ret;
diff -r 90b997f8b128 -r 66420bc7d765 lang/php5/patches/patch-ar
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-ar Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,61 @@
+$NetBSD: patch-ar,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/info.c.orig 2006-04-14 14:03:22.000000000 +0200
++++ ext/standard/info.c
+@@ -58,6 +58,23 @@ ZEND_EXTERN_MODULE_GLOBALS(iconv)
+
+ PHPAPI extern char *php_ini_opened_path;
+ PHPAPI extern char *php_ini_scanned_files;
++
++static int php_info_write_wrapper(const char *str, uint str_length)
++{
++ int new_len, written;
++ char *elem_esc;
++
++ TSRMLS_FETCH();
++
++ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++
++ written = php_body_write(elem_esc, new_len TSRMLS_CC);
++
++ efree(elem_esc);
++
++ return written;
++}
++
+
+ /* {{{ _display_module_info
+ */
+@@ -135,30 +152,13 @@ static void php_print_gpcse_array(char *
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+- zval *tmp3;
+-
+- MAKE_STD_ZVAL(tmp3);
+-
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+- }
+- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+-
+- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+-
+- php_ob_get_buffer(tmp3 TSRMLS_CC);
+- php_end_ob_buffer(0, 0 TSRMLS_CC);
+-
+- if (!sapi_module.phpinfo_as_text) {
+- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+- PUTS(elem_esc);
+- efree(elem_esc);
++ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
+ PUTS("</pre>");
+ } else {
+- PUTS(Z_STRVAL_P(tmp3));
++ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+ }
+- zval_ptr_dtor(&tmp3);
+-
+ } else if (Z_TYPE_PP(tmp) != IS_STRING) {
+ tmp2 = **tmp;
+ zval_copy_ctor(&tmp2);
diff -r 90b997f8b128 -r 66420bc7d765 www/ap-php/Makefile
--- a/www/ap-php/Makefile Tue Apr 18 23:31:30 2006 +0000
+++ b/www/ap-php/Makefile Wed Apr 19 00:12:27 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.8 2006/02/05 23:11:17 joerg Exp $
+# $NetBSD: Makefile,v 1.8.2.1 2006/04/19 00:12:27 salo Exp $
#
PKGNAME= ap-php-${PHP_BASE_VERS}
-PKGREVISION= 5
+PKGREVISION= 6
COMMENT= Apache (${PKG_APACHE}) module for ${PKG_PHP}
APACHE_MODULE= YES
diff -r 90b997f8b128 -r 66420bc7d765 www/php4/Makefile
--- a/www/php4/Makefile Tue Apr 18 23:31:30 2006 +0000
+++ b/www/php4/Makefile Wed Apr 19 00:12:27 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.62 2006/03/03 07:11:34 cube Exp $
+# $NetBSD: Makefile,v 1.62.2.1 2006/04/19 00:12:27 salo Exp $
PKGNAME= php-${PHP_BASE_VERS}
+PKGREVISION= 1
CATEGORIES+= lang
COMMENT= HTML-embedded scripting language
diff -r 90b997f8b128 -r 66420bc7d765 www/php4/distinfo
--- a/www/php4/distinfo Tue Apr 18 23:31:30 2006 +0000
+++ b/www/php4/distinfo Wed Apr 19 00:12:27 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.51 2006/03/06 15:57:58 cube Exp $
+$NetBSD: distinfo,v 1.51.2.1 2006/04/19 00:12:27 salo Exp $
SHA1 (php-4.4.2.tar.bz2) = 88f2e9efff0add8d8e3034d4ce3a948429b88756
RMD160 (php-4.4.2.tar.bz2) = cbef0fa4e233529422bc0944dcfb79d866013f5e
@@ -13,3 +13,6 @@
SHA1 (patch-al) = 28ad9006b387e2b9984ad49beea21c9d46e63b46
SHA1 (patch-ao) = cd30bbff10f1d045c829f72d94304c9dcf202fc6
SHA1 (patch-ap) = 2f852abd1e9d0f089add18b2eade2831253ad00e
+SHA1 (patch-aq) = 00f410eb61624aee0c68d2fd6802a6be7adb373e
+SHA1 (patch-ar) = 5606c1ec5a7afaeda2e3cc7879cc0caa4f86ca68
+SHA1 (patch-as) = 7987c293d2290aa5e68fba87d0aa759797ace40d
diff -r 90b997f8b128 -r 66420bc7d765 www/php4/patches/patch-aq
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-aq Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-aq,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/html.c.orig 2006-01-01 14:46:57.000000000 +0100
++++ ext/standard/html.c
+@@ -793,7 +793,7 @@ PHPAPI char *php_unescape_html_entities(
+ enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
+ unsigned char replacement[15];
+
+- ret = estrdup(old);
++ ret = estrndup(old, oldlen);
+ retlen = oldlen;
+ if (!retlen) {
+ goto empty_source;
diff -r 90b997f8b128 -r 66420bc7d765 www/php4/patches/patch-ar
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-ar Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,55 @@
+$NetBSD: patch-ar,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/info.c.orig 2006-01-01 14:46:57.000000000 +0100
++++ ext/standard/info.c
+@@ -58,6 +58,23 @@ ZEND_EXTERN_MODULE_GLOBALS(iconv)
+
+ PHPAPI extern char *php_ini_opened_path;
+ PHPAPI extern char *php_ini_scanned_files;
++
++static int php_info_write_wrapper(const char *str, uint str_length)
++{
++ int new_len, written;
++ char *elem_esc;
++
++ TSRMLS_FETCH();
++
++ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++
++ written = php_body_write(elem_esc, new_len TSRMLS_CC);
++
++ efree(elem_esc);
++
++ return written;
++}
++
+
+ /* {{{ _display_module_info
+ */
+@@ -133,23 +150,12 @@ static void php_print_gpcse_array(char *
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+- zval *tmp3;
+- MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+- }
+- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+- zend_print_zval_r(*tmp, 0);
+- php_ob_get_buffer(tmp3 TSRMLS_CC);
+- php_end_ob_buffer(0, 0 TSRMLS_CC);
+-
+- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+- PUTS(elem_esc);
+- efree(elem_esc);
+- zval_ptr_dtor(&tmp3);
+-
+- if (!sapi_module.phpinfo_as_text) {
++ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
+ PUTS("</pre>");
++ } else {
++ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+ }
+ } else if (Z_TYPE_PP(tmp) != IS_STRING) {
+ tmp2 = **tmp;
diff -r 90b997f8b128 -r 66420bc7d765 www/php4/patches/patch-as
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-as Wed Apr 19 00:12:27 2006 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-as,v 1.1.2.2 2006/04/19 00:12:27 salo Exp $
+
+--- ext/standard/file.c.orig 2006-01-01 14:46:57.000000000 +0100
Home |
Main Index |
Thread Index |
Old Index