pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/php5 Update 5.2.2



details:   https://anonhg.NetBSD.org/pkgsrc/rev/066573d0a0c3
branches:  trunk
changeset: 528533:066573d0a0c3
user:      adrianp <adrianp%pkgsrc.org@localhost>
date:      Sun May 06 20:07:28 2007 +0000

description:
Update 5.2.2
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals
  (MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare()
  (MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
  (MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for
  (MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables().
  (by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc
  library. (by Stanislav Malyshev)
* Fixed a header injection via Subject and To parameters to the mail() function
  (MOPB-34 by Stefan Esser)
* Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
* Fixed substr_compare and substr_count information leak
  (MOPB-14 by Stefan Esser) (Stas, Ilia)
* Fixed a remotely trigger-able buffer overflow inside make_http_soap_request()
  (by Ilia Alshanetsky)
* Fixed a buffer overflow inside user_filter_factory_create().
  (by Ilia Alshanetsky)

diffstat:

 lang/php5/Makefile         |    3 +-
 lang/php5/Makefile.common  |    4 +-
 lang/php5/distinfo         |   10 +-
 lang/php5/patches/patch-ab |  212 ---------------------------------------------
 lang/php5/patches/patch-ac |   40 --------
 5 files changed, 7 insertions(+), 262 deletions(-)

diffs (truncated from 309 to 300 lines):

diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/Makefile
--- a/lang/php5/Makefile        Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/Makefile        Sun May 06 20:07:28 2007 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.50 2007/05/05 21:45:12 adrianp Exp $
+# $NetBSD: Makefile,v 1.51 2007/05/06 20:07:28 adrianp Exp $
 
 PKGNAME=               php-${PHP_BASE_VERS}
-PKGREVISION=           3
 CATEGORIES=            lang
 
 HOMEPAGE=              http://www.php.net/
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/Makefile.common
--- a/lang/php5/Makefile.common Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/Makefile.common Sun May 06 20:07:28 2007 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.24 2007/02/22 19:01:21 wiz Exp $
+# $NetBSD: Makefile.common,v 1.25 2007/05/06 20:07:36 adrianp Exp $
 
 .if !defined(DISTNAME)
 DISTNAME=              php-${PHP_BASE_VERS}
@@ -15,7 +15,7 @@
 MAINTAINER?=           jdolecek%NetBSD.org@localhost
 HOMEPAGE?=             http://www.php.net/
 
-PHP_BASE_VERS=         5.2.1
+PHP_BASE_VERS=         5.2.2
 
 PHP_EXTENSION_DIR=     lib/php/20040412
 PLIST_SUBST+=          PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR:Q}
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/distinfo
--- a/lang/php5/distinfo        Sun May 06 19:51:30 2007 +0000
+++ b/lang/php5/distinfo        Sun May 06 20:07:28 2007 +0000
@@ -1,11 +1,9 @@
-$NetBSD: distinfo,v 1.39 2007/05/06 13:08:33 tron Exp $
+$NetBSD: distinfo,v 1.40 2007/05/06 20:07:36 adrianp Exp $
 
-SHA1 (php-5.2.1/php-5.2.1.tar.bz2) = 978ce7cde3d988d9aa672e32e46f815a8b25baa0
-RMD160 (php-5.2.1/php-5.2.1.tar.bz2) = f75078e0e43cb9c64e6d0a8d51a2ebd23cc9131d
-Size (php-5.2.1/php-5.2.1.tar.bz2) = 7163383 bytes
+SHA1 (php-5.2.2/php-5.2.2.tar.bz2) = b9b0b8f778eee61afcff24e286e626baed8d2934
+RMD160 (php-5.2.2/php-5.2.2.tar.bz2) = 15e844530bced2960e35fd291fb71a416562aec0
+Size (php-5.2.2/php-5.2.2.tar.bz2) = 7310926 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ab) = e4131ba531bc7afdf478802dac33a47fa2f87b88
-SHA1 (patch-ac) = 0e260cfdbc247f2960f73af79324529efadcb25f
 SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
 SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/patches/patch-ab
--- a/lang/php5/patches/patch-ab        Sun May 06 19:51:30 2007 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,212 +0,0 @@
-$NetBSD: patch-ab,v 1.4 2007/04/29 12:30:18 taca Exp $
-
---- TSRM/tsrm_virtual_cwd.c.orig       2007-04-28 22:51:43.000000000 +0100
-+++ TSRM/tsrm_virtual_cwd.c    2007-04-28 22:52:15.000000000 +0100
-@@ -474,7 +474,11 @@
-       realpath_cache_bucket *bucket;
-       time_t t = 0;
-       int ret;
-+      int use_cache;
-+      int use_relative_path = 0;
-       TSRMLS_FETCH();
-+      
-+      use_cache = ((use_realpath != CWD_EXPAND) && CWDG(realpath_cache_size_limit));
- 
-       if (path_length == 0) 
-               return (0);
-@@ -488,27 +492,32 @@
-       /* cwd_length can be 0 when getcwd() fails.
-        * This can happen under solaris when a dir does not have read permissions
-        * but *does* have execute permissions */
--      if (!IS_ABSOLUTE_PATH(path, path_length) && (state->cwd_length > 0)) {
--              int orig_path_len;
--              int state_cwd_length = state->cwd_length;
-+      if (!IS_ABSOLUTE_PATH(path, path_length)) {
-+              if (state->cwd_length == 0) {
-+                      use_cache = 0;
-+                      use_relative_path = 1;
-+              } else {
-+                      int orig_path_len;
-+                      int state_cwd_length = state->cwd_length;
- 
- #ifdef TSRM_WIN32
--              if (IS_SLASH(path[0])) {
--                      state_cwd_length = 2;
--              }
-+                      if (IS_SLASH(path[0])) {
-+                              state_cwd_length = 2;
-+                      }
- #endif
--              orig_path_len = path_length + state_cwd_length + 1;
--              if (orig_path_len >= MAXPATHLEN) {
--                      return 1;
-+                      orig_path_len = path_length + state_cwd_length + 1;
-+                      if (orig_path_len >= MAXPATHLEN) {
-+                              return 1;
-+                      }
-+                      memcpy(orig_path, state->cwd, state_cwd_length);
-+                      orig_path[state_cwd_length] = DEFAULT_SLASH;
-+                      memcpy(orig_path + state_cwd_length + 1, path, path_length + 1);
-+                      path = orig_path;
-+                      path_length = orig_path_len; 
-               }
--              memcpy(orig_path, state->cwd, state_cwd_length);
--              orig_path[state_cwd_length] = DEFAULT_SLASH;
--              memcpy(orig_path + state_cwd_length + 1, path, path_length + 1);
--              path = orig_path;
--              path_length = orig_path_len; 
-       }
- 
--      if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) {
-+      if (use_cache) {
-               t = CWDG(realpath_cache_ttl)?time(NULL):0;
-               if ((bucket = realpath_cache_find(path, path_length, t TSRMLS_CC)) != NULL) {           
-                       int len = bucket->realpath_len;
-@@ -548,18 +557,19 @@
- #endif
-       } else {
-               char *ptr, *path_copy, *free_path;
--              char *tok = NULL;
-+              char *tok;
-               int ptr_length;
- #ifdef TSRM_WIN32
--              int is_unc = 0;
-+              int is_unc;
- #endif
--
- no_realpath:
- 
-               free_path = path_copy = tsrm_strndup(path, path_length);
-               CWD_STATE_COPY(&old_state, state);
- 
--#ifdef TSRM_WIN32             
-+#ifdef TSRM_WIN32
-+              ret = 0;
-+              is_unc = 0;
-               if (path_length >= 2 && path[1] == ':') {                       
-                       state->cwd = (char *) realloc(state->cwd, 2 + 1);
-                       state->cwd[0] = toupper(path[0]);
-@@ -583,6 +593,7 @@
-               }
- #endif
-               
-+              tok = NULL;
-               ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok);
-               while (ptr) {
-                       ptr_length = strlen(ptr);
-@@ -590,6 +601,12 @@
-                       if (IS_DIRECTORY_UP(ptr, ptr_length)) {
-                               char save;
- 
-+                              if (use_relative_path) {
-+                                      CWD_STATE_FREE(state);
-+                                      *state = old_state;
-+                                      return 1;
-+                              }
-+
-                               save = DEFAULT_SLASH;
- 
- #define PREVIOUS state->cwd[state->cwd_length - 1]
-@@ -609,33 +626,38 @@
-                                       state->cwd_length--;
-                               }
-                       } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) {
--                              state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1);
-+                              if (use_relative_path) {
-+                                      state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1);
-+                                      use_relative_path = 0;
-+                              } else {
-+                                      state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1);
- #ifdef TSRM_WIN32
--                              /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */
--                              if (state->cwd_length < 2 ||
--                                  (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') ||
--                                              IsDBCSLeadByte(state->cwd[state->cwd_length-2])) {
--                                      state->cwd[state->cwd_length++] = DEFAULT_SLASH;
--                              }
-+                                      /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */
-+                                      if (state->cwd_length < 2 ||
-+                                          (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') ||
-+                                                      IsDBCSLeadByte(state->cwd[state->cwd_length-2])) {
-+                                              state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+                                      }
- #elif defined(NETWARE)
--                              /* 
--                              Below code keeps appending to state->cwd a File system seperator
--                              cases where this appending should not happen is given below,
--                              a) sys: should just be left as it is
--                              b) sys:system should just be left as it is,
--                                      Colon is allowed only in the first token as volume names alone can have the : in their names.
--                                      Files and Directories cannot have : in their names
--                                      So the check goes like this,
--                                      For second token and above simply append the DEFAULT_SLASH to the state->cwd.
--                                      For first token check for the existence of : 
--                                      if it exists don't append the DEFAULT_SLASH to the state->cwd.
--                              */
--                              if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) {
--                                      state->cwd[state->cwd_length++] = DEFAULT_SLASH;
--                              }
-+                                      /* 
-+                                      Below code keeps appending to state->cwd a File system seperator
-+                                      cases where this appending should not happen is given below,
-+                                      a) sys: should just be left as it is
-+                                      b) sys:system should just be left as it is,
-+                                              Colon is allowed only in the first token as volume names alone can have the : in their names.
-+                                              Files and Directories cannot have : in their names
-+                                              So the check goes like this,
-+                                              For second token and above simply append the DEFAULT_SLASH to the state->cwd.
-+                                              For first token check for the existence of : 
-+                                              if it exists don't append the DEFAULT_SLASH to the state->cwd.
-+                                      */
-+                                      if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) {
-+                                              state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+                                      }
- #else
--                              state->cwd[state->cwd_length++] = DEFAULT_SLASH;
-+                                      state->cwd[state->cwd_length++] = DEFAULT_SLASH;
- #endif
-+                              }
-                               memcpy(&state->cwd[state->cwd_length], ptr, ptr_length+1);
- 
- #ifdef TSRM_WIN32
-@@ -652,14 +674,14 @@
-                                               memcpy(&state->cwd[state->cwd_length], data.cFileName, length+1);
-                                               ptr_length = length;
-                                               FindClose(hFind);
-+                                              ret = 0;
-                                       } else if (use_realpath == CWD_REALPATH) {
-                                               if (is_unc) {
-+                                                      /* skip share name */
-                                                       is_unc--;
-+                                                      ret = 0;
-                                               } else {
--                                                      free(free_path);
--                                                      CWD_STATE_FREE(state);
--                                                      *state = old_state;                                     
--                                                      return 1;
-+                                                      ret = 1;
-                                               }
-                                       }
-                               }
-@@ -672,6 +694,12 @@
- 
-               free(free_path);
- 
-+              if ((use_realpath == CWD_REALPATH) && ret) {
-+                      CWD_STATE_FREE(state);
-+                      *state = old_state;                                     
-+                      return 1;
-+              }
-+
-               if (state->cwd_length == COPY_WHEN_ABSOLUTE(state->cwd)) {
-                       state->cwd = (char *) realloc(state->cwd, state->cwd_length+1+1);
-                       state->cwd[state->cwd_length] = DEFAULT_SLASH;
-@@ -680,7 +708,7 @@
-               }
-       }
- 
--      if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) {
-+      if (use_cache) {
-               realpath_cache_add(path, path_length, state->cwd, state->cwd_length, t TSRMLS_CC);
-       }
- 
diff -r 4564113ae661 -r 066573d0a0c3 lang/php5/patches/patch-ac
--- a/lang/php5/patches/patch-ac        Sun May 06 19:51:30 2007 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,40 +0,0 @@
-$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $
-
-Patch for CVE-2007-1001, taken from here:
-
-http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch
-
---- ext/gd/libgd/wbmp.c.orig   2003-12-31 01:01:44.000000000 +0000
-+++ ext/gd/libgd/wbmp.c        2007-05-06 13:41:13.000000000 +0100
-@@ -116,6 +116,15 @@
-   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
-     return (NULL);
- 
-+  if (overflow2(sizeof (int), width)) {
-+    gdFree(wbmp);
-+    return NULL;
-+  }
-+  if (overflow2(sizeof (int) * width, height)) {
-+    gdFree(wbmp);
-+    return NULL;
-+  }
-+
-   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
-     {
-       gdFree (wbmp);
-@@ -176,7 +185,14 @@
-   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
- #endif
- 
--  if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
-+  if (overflow2(sizeof (int), wbmp->width) ||
-+    overflow2(sizeof (int) * wbmp->width, wbmp->height))



Home | Main Index | Thread Index | Old Index