pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/php53 - GC bug fix: http://svn.php.net/viewvc?vie...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/9b55c7c0e775
branches:  trunk
changeset: 582667:9b55c7c0e775
user:      taca <taca%pkgsrc.org@localhost>
date:      Thu Nov 25 03:43:50 2010 +0000

description:
- GC bug fix: http://svn.php.net/viewvc?view=revision&revision=303016
- CVE-2010-3710 (a part of SA41724)
        http://svn.php.net/viewvc?view=revision&revision=303779
- CVE-2010-3870 (a part of SA41724)
        http://svn.php.net/viewvc?view=revision&revision=304959
- CVE-2010-4150 (php-imap)
        http://svn.php.net/viewvc?view=revision&revision=305032
- CVE-2010-4156 (SA42135)
        http://svn.php.net/viewvc?view=revision&revision=305214

Bump PKGREVISION.

diffstat:

 lang/php53/Makefile         |    3 +-
 lang/php53/distinfo         |    7 +-
 lang/php53/patches/patch-am |   65 +++++++++++++++++
 lang/php53/patches/patch-an |   20 +++++
 lang/php53/patches/patch-ao |  166 ++++++++++++++++++++++++++++++++++++++++++++
 lang/php53/patches/patch-ap |   20 +++++
 lang/php53/patches/patch-aq |   19 +++++
 7 files changed, 298 insertions(+), 2 deletions(-)

diffs (truncated from 343 to 300 lines):

diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/Makefile
--- a/lang/php53/Makefile       Thu Nov 25 01:16:39 2010 +0000
+++ b/lang/php53/Makefile       Thu Nov 25 03:43:50 2010 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.4 2010/07/24 22:23:37 tron Exp $
+# $NetBSD: Makefile,v 1.5 2010/11/25 03:43:50 taca Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=               php-${PHP_BASE_VERS}
+PKGREVISION=           1
 CATEGORIES=            lang
 HOMEPAGE=              http://www.php.net/
 COMMENT=               PHP Hypertext Preprocessor version 5
diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/distinfo
--- a/lang/php53/distinfo       Thu Nov 25 01:16:39 2010 +0000
+++ b/lang/php53/distinfo       Thu Nov 25 03:43:50 2010 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2010/07/24 22:23:37 tron Exp $
+$NetBSD: distinfo,v 1.7 2010/11/25 03:43:50 taca Exp $
 
 SHA1 (php-5.3.3/php-5.3.3.tar.bz2) = 9f66716b341119e4e4f8fe3d81b7d0a5daf3cbc8
 RMD160 (php-5.3.3/php-5.3.3.tar.bz2) = 9edb51663feac9b787f8382012893f1ac98fec6a
@@ -17,3 +17,8 @@
 SHA1 (patch-ai) = d4766893a2c47a4e4a744248dda265b0a9a66a1f
 SHA1 (patch-aj) = d611d13fcc28c5d2b9e9586832ce4b8ae5707b48
 SHA1 (patch-al) = fbbee5502e0cd1c47c6e7c15e0d54746414ec32e
+SHA1 (patch-am) = b2627295554d6e3cbe7de70e79ae0938379f8d93
+SHA1 (patch-an) = d4ac5152584450d731b4c5ccb82ee84a8eed5071
+SHA1 (patch-ao) = 6871d0a2b3bca1deec6b309e90e1c109a4758a21
+SHA1 (patch-ap) = d54c00968ab581f8442b087a7ece42c827ff47f5
+SHA1 (patch-aq) = 3f541181fcaa8bc2a20bd719a9c71b0cccd411d6
diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/patches/patch-am
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php53/patches/patch-am       Thu Nov 25 03:43:50 2010 +0000
@@ -0,0 +1,65 @@
+$NetBSD: patch-am,v 1.1 2010/11/25 03:43:50 taca Exp $
+
+GC bug fix: http://svn.php.net/viewvc?view=revision&revision=303016
+
+--- Zend/zend_gc.c.orig        2010-04-01 22:54:03.000000000 +0000
++++ Zend/zend_gc.c
+@@ -414,19 +414,21 @@ static void gc_mark_roots(TSRMLS_D)
+       gc_root_buffer *current = GC_G(roots).next;
+ 
+       while (current != &GC_G(roots)) {
+-              if (current->handle && EG(objects_store).object_buckets) {
+-                      struct _store_object *obj = &EG(objects_store).object_buckets[current->handle].bucket.obj;
++              if (current->handle) {
++                      if (EG(objects_store).object_buckets) {
++                              struct _store_object *obj = &EG(objects_store).object_buckets[current->handle].bucket.obj;
+ 
+-                      if (GC_GET_COLOR(obj->buffered) == GC_PURPLE) {
+-                              zval z;
++                              if (GC_GET_COLOR(obj->buffered) == GC_PURPLE) {
++                                      zval z;
+ 
+-                              INIT_PZVAL(&z);
+-                              Z_OBJ_HANDLE(z) = current->handle;
+-                              Z_OBJ_HT(z) = current->u.handlers;
+-                              zobj_mark_grey(obj, &z TSRMLS_CC);
+-                      } else {
+-                              GC_SET_ADDRESS(obj->buffered, NULL);
+-                              GC_REMOVE_FROM_BUFFER(current);
++                                      INIT_PZVAL(&z);
++                                      Z_OBJ_HANDLE(z) = current->handle;
++                                      Z_OBJ_HT(z) = current->u.handlers;
++                                      zobj_mark_grey(obj, &z TSRMLS_CC);
++                              } else {
++                                      GC_SET_ADDRESS(obj->buffered, NULL);
++                                      GC_REMOVE_FROM_BUFFER(current);
++                              }
+                       }
+               } else {
+                       if (GC_ZVAL_GET_COLOR(current->u.pz) == GC_PURPLE) {
+@@ -623,15 +625,17 @@ static void gc_collect_roots(TSRMLS_D)
+       gc_root_buffer *current = GC_G(roots).next;
+ 
+       while (current != &GC_G(roots)) {
+-              if (current->handle && EG(objects_store).object_buckets) {
+-                      struct _store_object *obj = &EG(objects_store).object_buckets[current->handle].bucket.obj;
+-                      zval z;
++              if (current->handle) {
++                      if (EG(objects_store).object_buckets) {
++                              struct _store_object *obj = &EG(objects_store).object_buckets[current->handle].bucket.obj;
++                              zval z;
+ 
+-                      GC_SET_ADDRESS(obj->buffered, NULL);
+-                      INIT_PZVAL(&z);
+-                      Z_OBJ_HANDLE(z) = current->handle;
+-                      Z_OBJ_HT(z) = current->u.handlers;
+-                      zobj_collect_white(&z TSRMLS_CC);
++                              GC_SET_ADDRESS(obj->buffered, NULL);
++                              INIT_PZVAL(&z);
++                              Z_OBJ_HANDLE(z) = current->handle;
++                              Z_OBJ_HT(z) = current->u.handlers;
++                              zobj_collect_white(&z TSRMLS_CC);
++                      }
+               } else {
+                       GC_ZVAL_SET_ADDRESS(current->u.pz, NULL);
+                       zval_collect_white(current->u.pz TSRMLS_CC);
diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php53/patches/patch-an       Thu Nov 25 03:43:50 2010 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-an,v 1.1 2010/11/25 03:43:50 taca Exp $
+
+Fix for CVE-2010-3710 (a part of http://secunia.com/advisories/41724/):
+
+       http://svn.php.net/viewvc?view=revision&revision=303779
+
+--- ext/filter/logical_filters.c.orig  2010-04-02 18:27:48.000000000 +0000
++++ ext/filter/logical_filters.c
+@@ -531,6 +531,11 @@ void php_filter_validate_email(PHP_INPUT
+       int         matches;
+ 
+ 
++      /* The maximum length of an e-mail address is 320 octets, per RFC 2821. */
++      if (Z_STRLEN_P(value) > 320) {
++              RETURN_VALIDATION_FAILED
++      }
++
+       re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC);
+       if (!re) {
+               RETURN_VALIDATION_FAILED
diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/patches/patch-ao
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php53/patches/patch-ao       Thu Nov 25 03:43:50 2010 +0000
@@ -0,0 +1,166 @@
+$NetBSD: patch-ao,v 1.1 2010/11/25 03:43:50 taca Exp $
+
+Fix for CVE-2010-3870 (a part of http://secunia.com/advisories/41724/):
+
+       http://svn.php.net/viewvc?view=revision&revision=304959
+
+--- ext/xml/xml.c.orig 2010-01-05 13:03:40.000000000 +0000
++++ ext/xml/xml.c
+@@ -659,10 +659,111 @@ PHPAPI char *xml_utf8_encode(const char 
+ }
+ /* }}} */
+ 
++/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
++#define MB_FAILURE(pos, advance) do { \
++      *cursor = pos + (advance); \
++      *status = FAILURE; \
++      return 0; \
++} while (0)
++
++#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
++#define utf8_lead(c)  ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
++#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
++
++/* {{{ php_next_utf8_char
++ */
++static inline unsigned int php_next_utf8_char(
++              const unsigned char *str,
++              size_t str_len,
++              size_t *cursor,
++              int *status)
++{
++      size_t pos = *cursor;
++      unsigned int this_char = 0;
++      unsigned char c;
++
++      *status = SUCCESS;
++
++      if (!CHECK_LEN(pos, 1))
++              MB_FAILURE(pos, 1);
++
++      /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
++              * "In a reported illegal byte sequence, do not include any
++              *  non-initial byte that encodes a valid character or is a leading
++              *  byte for a valid sequence.» */
++      c = str[pos];
++      if (c < 0x80) {
++              this_char = c;
++              pos++;
++      } else if (c < 0xc2) {
++              MB_FAILURE(pos, 1);
++      } else if (c < 0xe0) {
++              if (!CHECK_LEN(pos, 2))
++                      MB_FAILURE(pos, 1);
++
++              if (!utf8_trail(str[pos + 1])) {
++                      MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
++              }
++              this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
++              if (this_char < 0x80) { /* non-shortest form */
++                      MB_FAILURE(pos, 2);
++              }
++              pos += 2;
++      } else if (c < 0xf0) {
++              size_t avail = str_len - pos;
++
++              if (avail < 3 ||
++                              !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
++                      if (avail < 2 || utf8_lead(str[pos + 1]))
++                              MB_FAILURE(pos, 1);
++                      else if (avail < 3 || utf8_lead(str[pos + 2]))
++                              MB_FAILURE(pos, 2);
++                      else
++                              MB_FAILURE(pos, 3);
++              }
++
++              this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
++              if (this_char < 0x800) { /* non-shortest form */
++                      MB_FAILURE(pos, 3);
++              } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
++                      MB_FAILURE(pos, 3);
++              }
++              pos += 3;
++      } else if (c < 0xf5) {
++              size_t avail = str_len - pos;
++
++              if (avail < 4 ||
++                              !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
++                              !utf8_trail(str[pos + 3])) {
++                      if (avail < 2 || utf8_lead(str[pos + 1]))
++                              MB_FAILURE(pos, 1);
++                      else if (avail < 3 || utf8_lead(str[pos + 2]))
++                              MB_FAILURE(pos, 2);
++                      else if (avail < 4 || utf8_lead(str[pos + 3]))
++                              MB_FAILURE(pos, 3);
++                      else
++                              MB_FAILURE(pos, 4);
++              }
++                              
++              this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
++              if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
++                      MB_FAILURE(pos, 4);
++              }
++              pos += 4;
++      } else {
++              MB_FAILURE(pos, 1);
++      }
++      
++      *cursor = pos;
++      return this_char;
++}
++/* }}} */
++
++
+ /* {{{ xml_utf8_decode */
+ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
+ {
+-      int pos = len;
++      size_t pos = 0;
+       char *newbuf = emalloc(len + 1);
+       unsigned int c;
+       char (*decoder)(unsigned short) = NULL;
+@@ -681,36 +782,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
+               newbuf[*newlen] = '\0';
+               return newbuf;
+       }
+-      while (pos > 0) {
+-              c = (unsigned char)(*s);
+-              if (c >= 0xf0) { /* four bytes encoded, 21 bits */
+-                      if(pos-4 >= 0) {
+-                              c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+-                      } else {
+-                              c = '?';        
+-                      }
+-                      s += 4;
+-                      pos -= 4;
+-              } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
+-                      if(pos-3 >= 0) {
+-                              c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+-                      } else {
+-                              c = '?';
+-                      }
+-                      s += 3;
+-                      pos -= 3;
+-              } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
+-                      if(pos-2 >= 0) {
+-                              c = ((s[0]&63)<<6) | (s[1]&63);
+-                      } else {
+-                              c = '?';
+-                      }
+-                      s += 2;
+-                      pos -= 2;
+-              } else {
+-                      s++;
+-                      pos--;
++
++      while (pos < (size_t)len) {
++              int status = FAILURE;
++              c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
++
++              if (status == FAILURE || c > 0xFFU) {
++                      c = '?';
+               }
++
+               newbuf[*newlen] = decoder ? decoder(c) : c;
+               ++*newlen;
+       }
diff -r 00ac59c99212 -r 9b55c7c0e775 lang/php53/patches/patch-ap
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php53/patches/patch-ap       Thu Nov 25 03:43:50 2010 +0000
@@ -0,0 +1,20 @@



Home | Main Index | Thread Index | Old Index