pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/php5 Update 5.2.2
details: https://anonhg.NetBSD.org/pkgsrc/rev/066573d0a0c3
branches: trunk
changeset: 528533:066573d0a0c3
user: adrianp <adrianp%pkgsrc.org@localhost>
date: Sun May 06 20:07:28 2007 +0000
description:
Update 5.2.2
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals
(MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare()
(MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
(MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for
(MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables().
(by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc
library. (by Stanislav Malyshev)
* Fixed a header injection via Subject and To parameters to the mail() function
(MOPB-34 by Stefan Esser)
* Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
* Fixed substr_compare and substr_count information leak
(MOPB-14 by Stefan Esser) (Stas, Ilia)
* Fixed a remotely trigger-able buffer overflow inside make_http_soap_request()
(by Ilia Alshanetsky)
* Fixed a buffer overflow inside user_filter_factory_create().
(by Ilia Alshanetsky)
diffstat:
lang/php5/Makefile | 3 +-
lang/php5/Makefile.common | 4 +-
lang/php5/distinfo | 10 +-
lang/php5/patches/patch-ab | 212 ---------------------------------------------
lang/php5/patches/patch-ac | 40 --------
5 files changed, 7 insertions(+), 262 deletions(-)
diffs (truncated from 309 to 300 lines):
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/Makefile
--- a/lang/php5/Makefile Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/Makefile Sun May 06 20:07:28 2007 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.50 2007/05/05 21:45:12 adrianp Exp $
+# $NetBSD: Makefile,v 1.51 2007/05/06 20:07:28 adrianp Exp $
PKGNAME= php-${PHP_BASE_VERS}
-PKGREVISION= 3
CATEGORIES= lang
HOMEPAGE= http://www.php.net/
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/Makefile.common
--- a/lang/php5/Makefile.common Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/Makefile.common Sun May 06 20:07:28 2007 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.24 2007/02/22 19:01:21 wiz Exp $
+# $NetBSD: Makefile.common,v 1.25 2007/05/06 20:07:36 adrianp Exp $
.if !defined(DISTNAME)
DISTNAME= php-${PHP_BASE_VERS}
@@ -15,7 +15,7 @@
MAINTAINER?= jdolecek%NetBSD.org@localhost
HOMEPAGE?= http://www.php.net/
-PHP_BASE_VERS= 5.2.1
+PHP_BASE_VERS= 5.2.2
PHP_EXTENSION_DIR= lib/php/20040412
PLIST_SUBST+= PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR:Q}
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/distinfo
--- a/lang/php5/distinfo Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/distinfo Sun May 06 20:07:28 2007 +0000
@@ -1,11 +1,9 @@
-$NetBSD: distinfo,v 1.39 2007/05/06 13:08:33 tron Exp $
+$NetBSD: distinfo,v 1.40 2007/05/06 20:07:36 adrianp Exp $
-SHA1 (php-5.2.1/php-5.2.1.tar.bz2) = 978ce7cde3d988d9aa672e32e46f815a8b25baa0
-RMD160 (php-5.2.1/php-5.2.1.tar.bz2) = f75078e0e43cb9c64e6d0a8d51a2ebd23cc9131d
-Size (php-5.2.1/php-5.2.1.tar.bz2) = 7163383 bytes
+SHA1 (php-5.2.2/php-5.2.2.tar.bz2) = b9b0b8f778eee61afcff24e286e626baed8d2934
+RMD160 (php-5.2.2/php-5.2.2.tar.bz2) = 15e844530bced2960e35fd291fb71a416562aec0
+Size (php-5.2.2/php-5.2.2.tar.bz2) = 7310926 bytes
SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ab) = e4131ba531bc7afdf478802dac33a47fa2f87b88
-SHA1 (patch-ac) = 0e260cfdbc247f2960f73af79324529efadcb25f
SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/patches/patch-ab
--- a/lang/php5/patches/patch-ab Sun May 06 19:51:30 2007 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,212 +0,0 @@
-$NetBSD: patch-ab,v 1.4 2007/04/29 12:30:18 taca Exp $
-
---- TSRM/tsrm_virtual_cwd.c.orig 2007-04-28 22:51:43.000000000 +0100
-+++ TSRM/tsrm_virtual_cwd.c 2007-04-28 22:52:15.000000000 +0100
-@@ -474,7 +474,11 @@
- realpath_cache_bucket *bucket;
- time_t t = 0;
- int ret;
-+ int use_cache;
-+ int use_relative_path = 0;
- TSRMLS_FETCH();
-+
-+ use_cache = ((use_realpath != CWD_EXPAND) && CWDG(realpath_cache_size_limit));
-
- if (path_length == 0)
- return (0);
-@@ -488,27 +492,32 @@
- /* cwd_length can be 0 when getcwd() fails.
- * This can happen under solaris when a dir does not have read permissions
- * but *does* have execute permissions */
-- if (!IS_ABSOLUTE_PATH(path, path_length) && (state->cwd_length > 0)) {
-- int orig_path_len;
-- int state_cwd_length = state->cwd_length;
-+ if (!IS_ABSOLUTE_PATH(path, path_length)) {
-+ if (state->cwd_length == 0) {
-+ use_cache = 0;
-+ use_relative_path = 1;
-+ } else {
-+ int orig_path_len;
-+ int state_cwd_length = state->cwd_length;
-
- #ifdef TSRM_WIN32
-- if (IS_SLASH(path[0])) {
-- state_cwd_length = 2;
-- }
-+ if (IS_SLASH(path[0])) {
-+ state_cwd_length = 2;
-+ }
- #endif
-- orig_path_len = path_length + state_cwd_length + 1;
-- if (orig_path_len >= MAXPATHLEN) {
-- return 1;
-+ orig_path_len = path_length + state_cwd_length + 1;
-+ if (orig_path_len >= MAXPATHLEN) {
-+ return 1;
-+ }
-+ memcpy(orig_path, state->cwd, state_cwd_length);
-+ orig_path[state_cwd_length] = DEFAULT_SLASH;
-+ memcpy(orig_path + state_cwd_length + 1, path, path_length + 1);
-+ path = orig_path;
-+ path_length = orig_path_len;
- }
-- memcpy(orig_path, state->cwd, state_cwd_length);
-- orig_path[state_cwd_length] = DEFAULT_SLASH;
-- memcpy(orig_path + state_cwd_length + 1, path, path_length + 1);
-- path = orig_path;
-- path_length = orig_path_len;
- }
-
-- if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) {
-+ if (use_cache) {
- t = CWDG(realpath_cache_ttl)?time(NULL):0;
- if ((bucket = realpath_cache_find(path, path_length, t TSRMLS_CC)) != NULL) {
- int len = bucket->realpath_len;
-@@ -548,18 +557,19 @@
- #endif
- } else {
- char *ptr, *path_copy, *free_path;
-- char *tok = NULL;
-+ char *tok;
- int ptr_length;
- #ifdef TSRM_WIN32
-- int is_unc = 0;
-+ int is_unc;
- #endif
--
- no_realpath:
-
- free_path = path_copy = tsrm_strndup(path, path_length);
- CWD_STATE_COPY(&old_state, state);
-
--#ifdef TSRM_WIN32
-+#ifdef TSRM_WIN32
-+ ret = 0;
-+ is_unc = 0;
- if (path_length >= 2 && path[1] == ':') {
- state->cwd = (char *) realloc(state->cwd, 2 + 1);
- state->cwd[0] = toupper(path[0]);
-@@ -583,6 +593,7 @@
- }
- #endif
-
-+ tok = NULL;
- ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok);
- while (ptr) {
- ptr_length = strlen(ptr);
-@@ -590,6 +601,12 @@
- if (IS_DIRECTORY_UP(ptr, ptr_length)) {
- char save;
-
-+ if (use_relative_path) {
-+ CWD_STATE_FREE(state);
-+ *state = old_state;
-+ return 1;
-+ }
-+
- save = DEFAULT_SLASH;
-
- #define PREVIOUS state->cwd[state->cwd_length - 1]
-@@ -609,33 +626,38 @@
- state->cwd_length--;
- }
- } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) {
-- state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1);
-+ if (use_relative_path) {
-+ state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1);
-+ use_relative_path = 0;
-+ } else {
-+ state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1);
- #ifdef TSRM_WIN32
-- /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */
-- if (state->cwd_length < 2 ||
-- (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') ||
-- IsDBCSLeadByte(state->cwd[state->cwd_length-2])) {
-- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-- }
-+ /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */
-+ if (state->cwd_length < 2 ||
-+ (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') ||
-+ IsDBCSLeadByte(state->cwd[state->cwd_length-2])) {
-+ state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+ }
- #elif defined(NETWARE)
-- /*
-- Below code keeps appending to state->cwd a File system seperator
-- cases where this appending should not happen is given below,
-- a) sys: should just be left as it is
-- b) sys:system should just be left as it is,
-- Colon is allowed only in the first token as volume names alone can have the : in their names.
-- Files and Directories cannot have : in their names
-- So the check goes like this,
-- For second token and above simply append the DEFAULT_SLASH to the state->cwd.
-- For first token check for the existence of :
-- if it exists don't append the DEFAULT_SLASH to the state->cwd.
-- */
-- if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) {
-- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-- }
-+ /*
-+ Below code keeps appending to state->cwd a File system seperator
-+ cases where this appending should not happen is given below,
-+ a) sys: should just be left as it is
-+ b) sys:system should just be left as it is,
-+ Colon is allowed only in the first token as volume names alone can have the : in their names.
-+ Files and Directories cannot have : in their names
-+ So the check goes like this,
-+ For second token and above simply append the DEFAULT_SLASH to the state->cwd.
-+ For first token check for the existence of :
-+ if it exists don't append the DEFAULT_SLASH to the state->cwd.
-+ */
-+ if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) {
-+ state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+ }
- #else
-- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+ state->cwd[state->cwd_length++] = DEFAULT_SLASH;
- #endif
-+ }
- memcpy(&state->cwd[state->cwd_length], ptr, ptr_length+1);
-
- #ifdef TSRM_WIN32
-@@ -652,14 +674,14 @@
- memcpy(&state->cwd[state->cwd_length], data.cFileName, length+1);
- ptr_length = length;
- FindClose(hFind);
-+ ret = 0;
- } else if (use_realpath == CWD_REALPATH) {
- if (is_unc) {
-+ /* skip share name */
- is_unc--;
-+ ret = 0;
- } else {
-- free(free_path);
-- CWD_STATE_FREE(state);
-- *state = old_state;
-- return 1;
-+ ret = 1;
- }
- }
- }
-@@ -672,6 +694,12 @@
-
- free(free_path);
-
-+ if ((use_realpath == CWD_REALPATH) && ret) {
-+ CWD_STATE_FREE(state);
-+ *state = old_state;
-+ return 1;
-+ }
-+
- if (state->cwd_length == COPY_WHEN_ABSOLUTE(state->cwd)) {
- state->cwd = (char *) realloc(state->cwd, state->cwd_length+1+1);
- state->cwd[state->cwd_length] = DEFAULT_SLASH;
-@@ -680,7 +708,7 @@
- }
- }
-
-- if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) {
-+ if (use_cache) {
- realpath_cache_add(path, path_length, state->cwd, state->cwd_length, t TSRMLS_CC);
- }
-
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/patches/patch-ac
--- a/lang/php5/patches/patch-ac Sun May 06 19:51:30 2007 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,40 +0,0 @@
-$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $
-
-Patch for CVE-2007-1001, taken from here:
-
-http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch
-
---- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000
-+++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100
-@@ -116,6 +116,15 @@
- if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
- return (NULL);
-
-+ if (overflow2(sizeof (int), width)) {
-+ gdFree(wbmp);
-+ return NULL;
-+ }
-+ if (overflow2(sizeof (int) * width, height)) {
-+ gdFree(wbmp);
-+ return NULL;
-+ }
-+
- if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
- {
- gdFree (wbmp);
-@@ -176,7 +185,14 @@
- printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
- #endif
-
-- if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
-+ if (overflow2(sizeof (int), wbmp->width) ||
-+ overflow2(sizeof (int) * wbmp->width, wbmp->height))
Home |
Main Index |
Thread Index |
Old Index