Mon Nov 30 06:14:08 2009 UTC ()

Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry.

1. CVE-2009-3292 is already fixed in 5.2.11.

2. CVE-2009-3558

	http://svn.php.net/viewvc?view=revision&revision=288934

3. CVE-2009-3557

	http://svn.php.net/viewvc?view=revision&revision=288945
	http://svn.php.net/viewvc?view=revision&revision=288971

4. CVE-2009-4017

	http://svn.php.net/viewvc?view=revision&revision=289990
	http://svn.php.net/viewvc?view=revision&revision=290820
	http://svn.php.net/viewvc?view=revision&revision=290885

Other pkgsrc changes:

* Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended.
* Add comments to some of patch files.

Bump PKGREVISION.


(taca)

diff -r1.73 -r1.74 pkgsrc/lang/php5/Makefile
diff -r1.69 -r1.70 pkgsrc/lang/php5/distinfo
diff -r1.2 -r1.3 pkgsrc/lang/php5/patches/patch-ag
diff -r1.1 -r1.2 pkgsrc/lang/php5/patches/patch-ah
diff -r1.1 -r1.2 pkgsrc/lang/php5/patches/patch-ay
diff -r1.1 -r1.2 pkgsrc/lang/php5/patches/patch-az
diff -r0 -r1.1 pkgsrc/lang/php5/patches/patch-ba
diff -r0 -r1.1 pkgsrc/lang/php5/patches/patch-bb
diff -r0 -r1.1 pkgsrc/lang/php5/patches/patch-bc
diff -r0 -r1.1 pkgsrc/lang/php5/patches/patch-bd

--- pkgsrc/lang/php5/Attic/Makefile 2009/10/22 14:49:06 1.73
+++ pkgsrc/lang/php5/Attic/Makefile 2009/11/30 06:14:08 1.74

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.73 2009/10/22 14:49:06 taca Exp $
+# $NetBSD: Makefile,v 1.74 2009/11/30 06:14:08 taca Exp $
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
 TEST_TARGET=		test
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_TOOLS+=		gmake lex pkg-config
 LIBTOOL_OVERRIDE=	# empty
 PKG_OPTIONS_REQUIRED_GROUPS+=	sapi
 PKG_OPTIONS_GROUP.sapi=	cgi fastcgi
 PKG_SUGGESTED_OPTIONS+=	cgi
 @@ -27,40 +27,40 @@ CONFIGURE_ARGS+=	--enable-force-cgi-redi
 CONFIGURE_ARGS+=	--enable-fastcgi
 .endif
 CGIDIR=			${PREFIX}/libexec/cgi-bin
 EGDIR=			${PREFIX}/share/examples/php
 MESSAGE_SUBST+=		CGIDIR=${CGIDIR:Q}
 CONFIGURE_ENV+=		lt_cv_path_SED=${SED:Q}
 MAKE_ENV+=		INSTALL_ROOT=${DESTDIR:Q}
 CONF_FILES=		${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini
 OWN_DIRS=		${PREFIX}/${PHP_EXTENSION_DIR}
-SUBST_CLASSES+=		cgi
+SUBST_CLASSES+=		path
-SUBST_MESSAGE.cgi=	Fixing CGI path.
+SUBST_MESSAGE.path=	Fixing common paths.
-SUBST_STAGE.cgi=	pre-configure
+SUBST_STAGE.path=	pre-configure
-SUBST_FILES.cgi=	configure
+SUBST_FILES.path=	configure php.ini-dist php.ini-recommended
-SUBST_SED.cgi=		-e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_SED.path=		-e 's,@CGIDIR@,${CGIDIR},g'
 SUBST_SED.path+=	-e 's,@PREFIX@,${PREFIX},g'
 INSTALLATION_DIRS+=	${CGIDIR}
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=	yes
 .endif
 pre-install:
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q}
 post-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \
 		${DESTDIR:Q}${PREFIX:Q}/bin/php
 	${INSTALL_DATA} ${WRKSRC}/sapi/cli/php.1 \
 		${DESTDIR:Q}${PREFIX:Q}/${PKGMANDIR}/man1/php.1
 	${INSTALL_PROGRAM} ${WRKSRC}/sapi/cgi/php-cgi \
 		${DESTDIR:Q}${CGIDIR:Q}/php
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${EGDIR:Q}
 	cd ${WRKSRC}; ${INSTALL_DATA} php.ini-dist php.ini-recommended \
 		${DESTDIR:Q}${EGDIR:Q}
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${PREFIX:Q}/share/php
 	${INSTALL_DATA} ${WRKSRC}/php.gif ${DESTDIR:Q}${PREFIX:Q}/share/php

--- pkgsrc/lang/php5/Attic/distinfo 2009/10/22 14:49:06 1.69
+++ pkgsrc/lang/php5/Attic/distinfo 2009/11/30 06:14:08 1.70

 @@ -1,20 +1,24 @@
-$NetBSD: distinfo,v 1.69 2009/10/22 14:49:06 taca Exp $
+$NetBSD: distinfo,v 1.70 2009/11/30 06:14:08 taca Exp $
 SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef
 RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654
 Size (php-5.2.11/php-5.2.11.tar.bz2) = 9030787 bytes
 SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1
 RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15
 Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
+SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb
-SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
+SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
 SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50
 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
 SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
-SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc
+SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6
-SHA1 (patch-az) = ebdd76b8a5e6cf853b467a67fc6c8948a91d822a
+SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756
 SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4
 SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210
 SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7
 SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92

--- pkgsrc/lang/php5/patches/Attic/patch-ag 2006/02/06 06:39:59 1.2
+++ pkgsrc/lang/php5/patches/Attic/patch-ag 2009/11/30 06:14:08 1.3

 @@ -1,25 +1,44 @@
-$NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
+$NetBSD: patch-ag,v 1.3 2009/11/30 06:14:08 taca Exp $
---- php.ini-dist.orig	2005-12-30 19:15:55.000000000 +0200
+* Ajust for pkgsrc.
-+++ php.ini-dist	2006-02-05 15:36:13.000000000 +0200
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
-@@ -457,8 +457,9 @@
+	http://svn.php.net/viewvc?view=revision&revision=289990
 --- php.ini-dist.orig	2009-02-14 01:55:18.000000000 +0900
 +++ php.ini-dist
@@ -471,7 +471,7 @@ default_mimetype = "text/html"
  ;;;;;;;;;;;;;;;;;;;;;;;;;
  ; UNIX: "/path1:/path2"
 -;include_path = ".:/php/includes"
 +include_path = ".:@PREFIX@/lib/php"
+ ;
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
@@ -487,8 +487,9 @@ doc_root =
  ; if nonempty.
  user_dir =
 -; Directory in which the loadable extensions (modules) reside.
 -extension_dir = "./"
 +; Directory in which the loadable extensions (modules) reside. If not
 +; defined, then use the extension directory specified at compile-time.
 +; extension_dir = "./"
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -508,7 +509,7 @@
+@@ -546,11 +547,13 @@ file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
 -;upload_tmp_dir =
 +upload_tmp_dir = /tmp
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
 +; Maximum number of files that can be uploaded via a single request
 +max_file_uploads = 100
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;

--- pkgsrc/lang/php5/patches/Attic/patch-ah 2005/12/06 08:32:22 1.1
+++ pkgsrc/lang/php5/patches/Attic/patch-ah 2009/11/30 06:14:08 1.2

 @@ -1,25 +1,44 @@
-$NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
+$NetBSD: patch-ah,v 1.2 2009/11/30 06:14:08 taca Exp $
---- php.ini-recommended.orig	2005-11-15 00:14:23.000000000 +0100
+* Ajust for pkgsrc.
 * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
 	http://svn.php.net/viewvc?view=revision&revision=289990
 --- php.ini-recommended.orig	2009-03-02 13:44:35.000000000 +0900
 +++ php.ini-recommended
-@@ -515,8 +515,9 @@ doc_root =
+@@ -522,7 +522,7 @@ default_mimetype = "text/html"
  ;;;;;;;;;;;;;;;;;;;;;;;;;
  ; UNIX: "/path1:/path2"
 -;include_path = ".:/php/includes"
 +include_path = ".:@PREFIX@/lib/php"
+ ;
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
@@ -538,8 +538,9 @@ doc_root =
  ; if nonempty.
  user_dir =
 -; Directory in which the loadable extensions (modules) reside.
 -extension_dir = "./"
 +; Directory in which the loadable extensions (modules) reside. If not
 +; defined, then use the extension directory specified at compile-time.
 +; extension_dir = "./"
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -566,7 +567,7 @@ file_uploads = On
+@@ -597,11 +598,13 @@ file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
 -;upload_tmp_dir =
 +upload_tmp_dir = /tmp
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
 +; Maximum number of files that can be uploaded via a single request
 +max_file_uploads = 100
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;

--- pkgsrc/lang/php5/patches/Attic/patch-ay 2009/10/22 14:37:47 1.1
+++ pkgsrc/lang/php5/patches/Attic/patch-ay 2009/11/30 06:14:08 1.2

 @@ -1,17 +1,17 @@
-$NetBSD: patch-ay,v 1.1 2009/10/22 14:37:47 taca Exp $
+$NetBSD: patch-ay,v 1.2 2009/11/30 06:14:08 taca Exp $
 * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
-  from PHP's SVN repositry r289557.
+	http://svn.php.net/viewvc?view=revision&revision=289557
 --- ext/gd/libgd/gd_gd.c.orig	2007-08-09 23:21:38.000000000 +0900
 +++ ext/gd/libgd/gd_gd.c
 @@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP
  			if (!gdGetWord(&im->colorsTotal, in)) {
  				goto fail1;
+ 			}
 +			if (im->colorsTotal > gdMaxColors) {
 +				goto fail1;
 +			}
+ 		}
  		/* Int to accommodate truecolor single-color transparency */
  		if (!gdGetInt(&im->transparent, in)) {

--- pkgsrc/lang/php5/patches/Attic/patch-az 2009/10/22 14:49:06 1.1
+++ pkgsrc/lang/php5/patches/Attic/patch-az 2009/11/30 06:14:08 1.2

 @@ -1,16 +1,21 @@
 $NetBSD$
-* Fix for htmlspecialchars(): r289411, r289554, r289565, r289567, r289605.
+* Fix for htmlspecialchars():
 	http://svn.php.net/viewvc?view=revision&revision=289411
 	http://svn.php.net/viewvc?view=revision&revision=289554
 	http://svn.php.net/viewvc?view=revision&revision=289565
 	http://svn.php.net/viewvc?view=revision&revision=289567
 	http://svn.php.net/viewvc?view=revision&revision=289605
 --- ext/standard/html.c.orig	2008-12-31 20:17:49.000000000 +0900
 +++ ext/standard/html.c
 @@ -484,15 +484,31 @@ struct basic_entities_dec {
  			}                        \
  			mbseq[mbpos++] = (mbchar); }
 -#define CHECK_LEN(pos, chars_need)			\
 -	if((str_len - (pos)) < chars_need) {	\
 -		*status = FAILURE;					\
 -		return 0;							\
 +/* skip one byte and return */
 +#define MB_FAILURE(pos) do {	\

$NetBSD: patch-ba,v 1.1 2009/11/30 06:14:08 taca Exp $

Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558:
	http://svn.php.net/viewvc?view=revision&revision=288934

--- ext/posix/posix.c.orig	2009-08-06 20:11:15.000000000 +0900
+++ ext/posix/posix.c
@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo)
 		RETURN_FALSE;
 	}
 
-	if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+	if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
+		(PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
 		RETURN_FALSE;
 	}

$NetBSD: patch-bb,v 1.1 2009/11/30 06:14:08 taca Exp $

Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557:
	http://svn.php.net/viewvc?view=revision&revision=288945
	http://svn.php.net/viewvc?view=revision&revision=288971

--- ext/standard/file.c.orig	2009-11-30 10:04:51.000000000 +0900
+++ ext/standard/file.c
@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam)
 	convert_to_string_ex(arg1);
 	convert_to_string_ex(arg2);
 
+	if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+		RETURN_FALSE;
+	}
+
 	if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
 		RETURN_FALSE;
 	}

$NetBSD: patch-bc,v 1.1 2009/11/30 06:14:08 taca Exp $

Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
	http://svn.php.net/viewvc?view=revision&revision=289990

--- main/main.c.orig	2009-11-30 10:04:51.000000000 +0900
+++ main/main.c
@@ -455,6 +455,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("max_file_uploads",			"100",		PHP_INI_SYSTEM,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,	core_globals)

$NetBSD: patch-bd,v 1.1 2009/11/30 06:14:08 taca Exp $

Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
	http://svn.php.net/viewvc?view=revision&revision=289990
	http://svn.php.net/viewvc?view=revision&revision=290820
	http://svn.php.net/viewvc?view=revision&revision=290885

--- main/rfc1867.c.orig	2008-12-31 20:17:49.000000000 +0900
+++ main/rfc1867.c
@@ -32,6 +32,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "php_ini.h"
 
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
 
@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
 	zend_llist header;
 	void *event_extra_data = NULL;
 	int llen = 0;
+	int upload_cnt = INI_INT("max_file_uploads");
 
-	if (SG(request_info).content_length > SG(post_max_size)) {
+	if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
 		return;
 	}
@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
 			/* If file_uploads=off, skip the file part */
 			if (!PG(file_uploads)) {
 				skip_upload = 1;
+			} else if (upload_cnt <= 0) {
+				skip_upload = 1;
+				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
 			}
 
 			/* Return with an error if the posted data is garbled */
@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
 			if (!skip_upload) {
 				/* Handle file */
 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+				upload_cnt--;
 				if (fd==-1) {
 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
 					cancel_upload = UPLOAD_ERROR_E;