pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2009Q3]: pkgsrc/lang/php5 Pullup ticket #2939 - requested by taca
details: https://anonhg.NetBSD.org/pkgsrc/rev/c63b78bb04da
branches: pkgsrc-2009Q3
changeset: 565836:c63b78bb04da
user: tron <tron%pkgsrc.org@localhost>
date: Mon Nov 30 23:10:19 2009 +0000
description:
Pullup ticket #2939 - requested by taca
php5: security patch
Revisions pulled up:
- lang/php5/Makefile 1.73-1.74
- lang/php5/distinfo 1.69-1.70
- lang/php5/patches/patch-ag 1.3
- lang/php5/patches/patch-ah 1.2
- lang/php5/patches/patch-ay 1.2
- lang/php5/patches/patch-az 1.1-1.2
- lang/php5/patches/patch-ba 1.1
- lang/php5/patches/patch-bb 1.1
- lang/php5/patches/patch-bc 1.1
- lang/php5/patches/patch-bd 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 22 14:49:06 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Added Files:
pkgsrc/lang/php5/patches: patch-az
Log Message:
Add patch to check byte sequence more strictly in htmlspecialchars().
http://bugs.php.net/bug.php?id=49785
These are patch refrects r289411, r289554, r289565, r289567 and r289605
in PHP svn repositry.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 30 06:14:08 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
pkgsrc/lang/php5/patches: patch-ag patch-ah patch-ay patch-az
Added Files:
pkgsrc/lang/php5/patches: patch-ba patch-bb patch-bc patch-bd
Log Message:
Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry.
1. CVE-2009-3292 is already fixed in 5.2.11.
2. CVE-2009-3558
http://svn.php.net/viewvc?view=revision&revision=288934
3. CVE-2009-3557
http://svn.php.net/viewvc?view=revision&revision=288945
http://svn.php.net/viewvc?view=revision&revision=288971
4. CVE-2009-4017
http://svn.php.net/viewvc?view=revision&revision=289990
http://svn.php.net/viewvc?view=revision&revision=290820
http://svn.php.net/viewvc?view=revision&revision=290885
Other pkgsrc changes:
* Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended.
* Add comments to some of patch files.
Bump PKGREVISION.
diffstat:
lang/php5/Makefile | 19 +-
lang/php5/distinfo | 13 +-
lang/php5/patches/patch-ag | 29 ++-
lang/php5/patches/patch-ah | 27 ++-
lang/php5/patches/patch-ay | 4 +-
lang/php5/patches/patch-az | 373 +++++++++++++++++++++++++++++++++++++++++++++
lang/php5/patches/patch-ba | 17 ++
lang/php5/patches/patch-bb | 19 ++
lang/php5/patches/patch-bc | 15 +
lang/php5/patches/patch-bd | 46 +++++
10 files changed, 538 insertions(+), 24 deletions(-)
diffs (truncated from 670 to 300 lines):
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/Makefile
--- a/lang/php5/Makefile Sun Nov 29 15:33:42 2009 +0000
+++ b/lang/php5/Makefile Mon Nov 30 23:10:19 2009 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2009/06/09 15:15:07 sketch Exp $
+# $NetBSD: Makefile,v 1.72.4.1 2009/11/30 23:10:19 tron Exp $
PKGNAME= php-${PHP_BASE_VERS}
+PKGREVISION= 2
CATEGORIES= lang
HOMEPAGE= http://www.php.net/
COMMENT= PHP Hypertext Preprocessor version 5
@@ -36,20 +37,20 @@
CONF_FILES= ${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini
OWN_DIRS= ${PREFIX}/${PHP_EXTENSION_DIR}
-SUBST_CLASSES+= cgi
-SUBST_MESSAGE.cgi= Fixing CGI path.
-SUBST_STAGE.cgi= pre-configure
-SUBST_FILES.cgi= configure
-SUBST_SED.cgi= -e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_CLASSES+= path
+SUBST_MESSAGE.path= Fixing common paths.
+SUBST_STAGE.path= pre-configure
+SUBST_FILES.path= configure php.ini-dist php.ini-recommended
+SUBST_SED.path= -e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_SED.path+= -e 's,@PREFIX@,${PREFIX},g'
+
+INSTALLATION_DIRS+= ${CGIDIR}
# Make sure modules can link correctly
.if ${OPSYS} == "Darwin"
INSTALL_UNSTRIPPED= yes
.endif
-pre-install:
- ${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q}
-
post-install:
${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \
${DESTDIR:Q}${PREFIX:Q}/bin/php
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/distinfo
--- a/lang/php5/distinfo Sun Nov 29 15:33:42 2009 +0000
+++ b/lang/php5/distinfo Mon Nov 30 23:10:19 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.67.2.1 2009/10/22 21:25:08 tron Exp $
+$NetBSD: distinfo,v 1.67.2.2 2009/11/30 23:10:20 tron Exp $
SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef
RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654
@@ -7,8 +7,8 @@
RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15
Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes
SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
-SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
+SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb
+SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01
SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50
SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
@@ -16,4 +16,9 @@
SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
-SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc
+SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6
+SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756
+SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4
+SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210
+SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7
+SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/patches/patch-ag
--- a/lang/php5/patches/patch-ag Sun Nov 29 15:33:42 2009 +0000
+++ b/lang/php5/patches/patch-ag Mon Nov 30 23:10:19 2009 +0000
@@ -1,8 +1,21 @@
-$NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
+$NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $
+
+* Ajust for pkgsrc.
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+ http://svn.php.net/viewvc?view=revision&revision=289990
---- php.ini-dist.orig 2005-12-30 19:15:55.000000000 +0200
-+++ php.ini-dist 2006-02-05 15:36:13.000000000 +0200
-@@ -457,8 +457,9 @@
+--- php.ini-dist.orig 2009-02-14 01:55:18.000000000 +0900
++++ php.ini-dist
+@@ -471,7 +471,7 @@ default_mimetype = "text/html"
+ ;;;;;;;;;;;;;;;;;;;;;;;;;
+
+ ; UNIX: "/path1:/path2"
+-;include_path = ".:/php/includes"
++include_path = ".:@PREFIX@/lib/php"
+ ;
+ ; Windows: "\path1;\path2"
+ ;include_path = ".;c:\php\includes"
+@@ -487,8 +487,9 @@ doc_root =
; if nonempty.
user_dir =
@@ -14,7 +27,7 @@
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -508,7 +509,7 @@
+@@ -546,11 +547,13 @@ file_uploads = On
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
@@ -23,3 +36,9 @@
; Maximum allowed size for uploaded files.
upload_max_filesize = 2M
+
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 100
+
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/patches/patch-ah
--- a/lang/php5/patches/patch-ah Sun Nov 29 15:33:42 2009 +0000
+++ b/lang/php5/patches/patch-ah Mon Nov 30 23:10:19 2009 +0000
@@ -1,8 +1,21 @@
-$NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
+$NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $
+
+* Ajust for pkgsrc.
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+ http://svn.php.net/viewvc?view=revision&revision=289990
---- php.ini-recommended.orig 2005-11-15 00:14:23.000000000 +0100
+--- php.ini-recommended.orig 2009-03-02 13:44:35.000000000 +0900
+++ php.ini-recommended
-@@ -515,8 +515,9 @@ doc_root =
+@@ -522,7 +522,7 @@ default_mimetype = "text/html"
+ ;;;;;;;;;;;;;;;;;;;;;;;;;
+
+ ; UNIX: "/path1:/path2"
+-;include_path = ".:/php/includes"
++include_path = ".:@PREFIX@/lib/php"
+ ;
+ ; Windows: "\path1;\path2"
+ ;include_path = ".;c:\php\includes"
+@@ -538,8 +538,9 @@ doc_root =
; if nonempty.
user_dir =
@@ -14,7 +27,7 @@
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -566,7 +567,7 @@ file_uploads = On
+@@ -597,11 +598,13 @@ file_uploads = On
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
@@ -23,3 +36,9 @@
; Maximum allowed size for uploaded files.
upload_max_filesize = 2M
+
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 100
+
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/patches/patch-ay
--- a/lang/php5/patches/patch-ay Sun Nov 29 15:33:42 2009 +0000
+++ b/lang/php5/patches/patch-ay Mon Nov 30 23:10:19 2009 +0000
@@ -1,7 +1,7 @@
-$NetBSD: patch-ay,v 1.1.2.2 2009/10/22 21:25:08 tron Exp $
+$NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $
* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
- from PHP's SVN repositry r289557.
+ http://svn.php.net/viewvc?view=revision&revision=289557
--- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900
+++ ext/gd/libgd/gd_gd.c
diff -r e36c3713dd19 -r c63b78bb04da lang/php5/patches/patch-az
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-az Mon Nov 30 23:10:19 2009 +0000
@@ -0,0 +1,373 @@
+$NetBSD$
+
+* Fix for htmlspecialchars():
+ http://svn.php.net/viewvc?view=revision&revision=289411
+ http://svn.php.net/viewvc?view=revision&revision=289554
+ http://svn.php.net/viewvc?view=revision&revision=289565
+ http://svn.php.net/viewvc?view=revision&revision=289567
+ http://svn.php.net/viewvc?view=revision&revision=289605
+
+--- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900
++++ ext/standard/html.c
+@@ -484,15 +484,31 @@ struct basic_entities_dec {
+ } \
+ mbseq[mbpos++] = (mbchar); }
+
+-#define CHECK_LEN(pos, chars_need) \
+- if((str_len - (pos)) < chars_need) { \
+- *status = FAILURE; \
+- return 0; \
++/* skip one byte and return */
++#define MB_FAILURE(pos) do { \
++ *newpos = pos + 1; \
++ *status = FAILURE; \
++ return 0; \
++ } while (0)
++
++#define CHECK_LEN(pos, chars_need) \
++ if (chars_need < 1) { \
++ if((str_len - (pos)) < chars_need) { \
++ *newpos = pos; \
++ *status = FAILURE; \
++ return 0; \
++ } \
++ } else { \
++ if((str_len - (pos)) < chars_need) { \
++ *newpos = pos + 1; \
++ *status = FAILURE; \
++ return 0; \
++ } \
+ }
+
+ /* {{{ get_next_char
+ */
+-inline static unsigned short get_next_char(enum entity_charset charset,
++inline static unsigned int get_next_char(enum entity_charset charset,
+ unsigned char * str,
+ int str_len,
+ int * newpos,
+@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch
+ int pos = *newpos;
+ int mbpos = 0;
+ int mbspace = *mbseqlen;
+- unsigned short this_char = str[pos++];
++ unsigned int this_char = 0;
+ unsigned char next_char;
+
+ *status = SUCCESS;
+-
++
+ if (mbspace <= 0) {
+ *mbseqlen = 0;
+- return this_char;
++ CHECK_LEN(pos, 1);
++ *newpos = pos + 1;
++ *newpos = pos + 1;
+ }
+-
+- MB_WRITE((unsigned char)this_char);
+-
++
+ switch (charset) {
+ case cs_utf_8:
+ {
+- unsigned long utf = 0;
+- int stat = 0;
+- int more = 1;
+-
+- /* unpack utf-8 encoding into a wide char.
+- * Code stolen from the mbstring extension */
+-
+- do {
+- if (this_char < 0x80) {
+- more = 0;
+- if(stat) {
+- /* we didn't finish the UTF sequence correctly */
+- *status = FAILURE;
+- }
+- break;
+- } else if (this_char < 0xc0) {
+- switch (stat) {
+- case 0x10: /* 2, 2nd */
+- case 0x21: /* 3, 3rd */
+- case 0x32: /* 4, 4th */
+- case 0x43: /* 5, 5th */
+- case 0x54: /* 6, 6th */
+- /* last byte in sequence */
+- more = 0;
+- utf |= (this_char & 0x3f);
+- this_char = (unsigned short)utf;
+- break;
+- case 0x20: /* 3, 2nd */
+- case 0x31: /* 4, 3rd */
+- case 0x42: /* 5, 4th */
+- case 0x53: /* 6, 5th */
+- /* penultimate char */
+- utf |= ((this_char & 0x3f) << 6);
+- stat++;
+- break;
+- case 0x30: /* 4, 2nd */
+- case 0x41: /* 5, 3rd */
+- case 0x52: /* 6, 4th */
+- utf |= ((this_char & 0x3f) << 12);
+- stat++;
+- break;
+- case 0x40: /* 5, 2nd */
+- case 0x51:
Home |
Main Index |
Thread Index |
Old Index