pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/php4 Fix for CVE-2006-1990
details: https://anonhg.NetBSD.org/pkgsrc/rev/bc5aae2f7088
branches: trunk
changeset: 516307:bc5aae2f7088
user: adrianp <adrianp%pkgsrc.org@localhost>
date: Tue Jul 18 21:21:19 2006 +0000
description:
Fix for CVE-2006-1990
Fix for CVE-2006-3011
Include our own pear.sh from the tarball but slightly hacked to get around
memory isses on installation.
diffstat:
www/php4/Makefile | 15 +++++++++++++--
www/php4/distinfo | 4 +++-
www/php4/files/pear.sh | 28 ++++++++++++++++++++++++++++
www/php4/patches/patch-au | 24 ++++++++++++++++++++++++
www/php4/patches/patch-av | 15 +++++++++++++++
5 files changed, 83 insertions(+), 3 deletions(-)
diffs (131 lines):
diff -r 7c5ac54e4607 -r bc5aae2f7088 www/php4/Makefile
--- a/www/php4/Makefile Tue Jul 18 21:13:22 2006 +0000
+++ b/www/php4/Makefile Tue Jul 18 21:21:19 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.67 2006/07/07 15:49:34 jlam Exp $
+# $NetBSD: Makefile,v 1.68 2006/07/18 21:21:19 adrianp Exp $
PKGNAME= php-${PHP_BASE_VERS}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES+= lang
COMMENT= HTML-embedded scripting language
@@ -50,6 +50,16 @@
USE_TOOLS+= gzcat
+SUBST_CLASSES= pear
+SUBST_STAGE.pear= pre-install
+SUBST_FILES.pear= ${WRKDIR}/pear.sh
+SUBST_SED.pear= -e "s|@php_bin@|${PREFIX}/bin/php|g"
+SUBST_SED.pear+= -e "s|@php_dir@|${PREFIX}/lib/php|g"
+SUBST_MESSAGE.pear= Fixing pear installation script.
+
+post-extract:
+ ${CP} ${FILESDIR}/pear.sh ${WRKDIR}
+
post-install:
${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php ${PREFIX}/bin/php
${INSTALL_DATA} ${WRKSRC}/sapi/cli/php.1 ${PREFIX}/man/man1/php.1
@@ -59,5 +69,6 @@
cd ${WRKSRC}; ${INSTALL_DATA} php.ini-dist php.ini-recommended ${EGDIR}
${INSTALL_DATA_DIR} ${PREFIX}/share/php
${INSTALL_DATA} ${WRKSRC}/php.gif ${PREFIX}/share/php
+ ${INSTALL_SCRIPT} ${WRKDIR}/pear.sh ${PREFIX}/bin/pear
.include "../../mk/bsd.pkg.mk"
diff -r 7c5ac54e4607 -r bc5aae2f7088 www/php4/distinfo
--- a/www/php4/distinfo Tue Jul 18 21:13:22 2006 +0000
+++ b/www/php4/distinfo Tue Jul 18 21:21:19 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.54 2006/05/11 06:50:39 minskim Exp $
+$NetBSD: distinfo,v 1.55 2006/07/18 21:21:19 adrianp Exp $
SHA1 (php-4.4.2.tar.bz2) = 88f2e9efff0add8d8e3034d4ce3a948429b88756
RMD160 (php-4.4.2.tar.bz2) = cbef0fa4e233529422bc0944dcfb79d866013f5e
@@ -18,3 +18,5 @@
SHA1 (patch-ar) = 5606c1ec5a7afaeda2e3cc7879cc0caa4f86ca68
SHA1 (patch-as) = 7987c293d2290aa5e68fba87d0aa759797ace40d
SHA1 (patch-at) = f8b3aebd61fe2d5b5a994e1d973424a1ed397f63
+SHA1 (patch-au) = b5fa682fa6b03cc91e68db7e7ed6985897a3288f
+SHA1 (patch-av) = fc105360bccbff5a5eae119f24a8aa12b4e08139
diff -r 7c5ac54e4607 -r bc5aae2f7088 www/php4/files/pear.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/files/pear.sh Tue Jul 18 21:21:19 2006 +0000
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# first find which PHP binary to use
+if test "x$PHP_PEAR_PHP_BIN" != "x"; then
+ PHP="$PHP_PEAR_PHP_BIN"
+else
+ if test "@php_bin@" = '@'php_bin'@'; then
+ PHP=php
+ else
+ PHP="@php_bin@"
+ fi
+fi
+
+# then look for the right pear include dir
+if test "x$PHP_PEAR_INSTALL_DIR" != "x"; then
+ INCDIR=$PHP_PEAR_INSTALL_DIR
+ INCARG="-d include_path=$PHP_PEAR_INSTALL_DIR"
+else
+ if test "@php_dir@" = '@'php_dir'@'; then
+ INCDIR=`dirname $0`
+ INCARG=""
+ else
+ INCDIR="@php_dir@"
+ INCARG="-d include_path=@php_dir@"
+ fi
+fi
+
+exec $PHP -C -q $INCARG -d output_buffering=1 -dmemory_limit=12M $INCDIR/pearcmd.php "$@"
diff -r 7c5ac54e4607 -r bc5aae2f7088 www/php4/patches/patch-au
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-au Tue Jul 18 21:21:19 2006 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-au,v 1.1 2006/07/18 21:21:19 adrianp Exp $
+
+# This is CVE-2006-1990
+
+--- ext/standard/string.c.orig 2006-01-01 13:46:58.000000000 +0000
++++ ext/standard/string.c
+@@ -672,15 +672,13 @@ PHP_FUNCTION(wordwrap)
+ /* Multiple character line break or forced cut */
+ if (linelength > 0) {
+ chk = (int)(textlen/linelength + 1);
++ newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
+ alloced = textlen + chk * breakcharlen + 1;
+ } else {
+ chk = textlen;
++ newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
+ alloced = textlen * (breakcharlen + 1) + 1;
+ }
+- if (alloced <= 0) {
+- RETURN_FALSE;
+- }
+- newtext = emalloc(alloced);
+
+ /* now keep track of the actual new text length */
+ newtextlen = 0;
diff -r 7c5ac54e4607 -r bc5aae2f7088 www/php4/patches/patch-av
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-av Tue Jul 18 21:21:19 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-av,v 1.1 2006/07/18 21:21:19 adrianp Exp $
+
+# This is CVE-2006-3011
+
+--- ext/standard/basic_functions.c.orig 2006-01-01 13:46:57.000000000 +0000
++++ ext/standard/basic_functions.c
+@@ -1866,7 +1866,7 @@ PHPAPI int _php_error_log(int opt_err, c
+ break;
+
+ case 3: /*save to a file */
+- stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
++ stream = php_stream_open_wrapper(opt, "a", IGNORE_URL_WIN | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
+ if (!stream)
+ return FAILURE;
+ php_stream_write(stream, message, strlen(message));
Home |
Main Index |
Thread Index |
Old Index