Pullup ticket #2939 - requested by taca php5: security patch Revisions pulled up: - lang/php5/Makefile 1.73-1.74 - lang/php5/distinfo 1.69-1.70 - lang/php5/patches/patch-ag 1.3 - lang/php5/patches/patch-ah 1.2 - lang/php5/patches/patch-ay 1.2 - lang/php5/patches/patch-az 1.1-1.2 - lang/php5/patches/patch-ba 1.1 - lang/php5/patches/patch-bb 1.1 - lang/php5/patches/patch-bc 1.1 - lang/php5/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Oct 22 14:49:06 UTC 2009 Modified Files: pkgsrc/lang/php5: Makefile distinfo Added Files: pkgsrc/lang/php5/patches: patch-az Log Message: Add patch to check byte sequence more strictly in htmlspecialchars(). http://bugs.php.net/bug.php?id=49785 These are patch refrects r289411, r289554, r289565, r289567 and r289605 in PHP svn repositry. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Mon Nov 30 06:14:08 UTC 2009 Modified Files: pkgsrc/lang/php5: Makefile distinfo pkgsrc/lang/php5/patches: patch-ag patch-ah patch-ay patch-az Added Files: pkgsrc/lang/php5/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry. 1. CVE-2009-3292 is already fixed in 5.2.11. 2. CVE-2009-3558 http://svn.php.net/viewvc?view=revision&revision=288934 3. CVE-2009-3557 http://svn.php.net/viewvc?view=revision&revision=288945 http://svn.php.net/viewvc?view=revision&revision=288971 4. CVE-2009-4017 http://svn.php.net/viewvc?view=revision&revision=289990 http://svn.php.net/viewvc?view=revision&revision=290820 http://svn.php.net/viewvc?view=revision&revision=290885 Other pkgsrc changes: * Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended. * Add comments to some of patch files. Bump PKGREVISION.

(tron)

 @@ -1,16 +1,17 @@
-# $NetBSD: Makefile,v 1.72 2009/06/09 15:15:07 sketch Exp $
+# $NetBSD: Makefile,v 1.72.4.1 2009/11/30 23:10:19 tron Exp $
 PKGNAME=		php-${PHP_BASE_VERS}
 PKGREVISION=		2
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
 TEST_TARGET=		test
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_TOOLS+=		gmake lex pkg-config
 LIBTOOL_OVERRIDE=	# empty
 PKG_OPTIONS_REQUIRED_GROUPS+=	sapi
 PKG_OPTIONS_GROUP.sapi=	cgi fastcgi
 PKG_SUGGESTED_OPTIONS+=	cgi
 @@ -26,40 +27,40 @@ CONFIGURE_ARGS+=	--enable-force-cgi-redi
 CONFIGURE_ARGS+=	--enable-fastcgi
 .endif
 CGIDIR=			${PREFIX}/libexec/cgi-bin
 EGDIR=			${PREFIX}/share/examples/php
 MESSAGE_SUBST+=		CGIDIR=${CGIDIR:Q}
 CONFIGURE_ENV+=		lt_cv_path_SED=${SED:Q}
 MAKE_ENV+=		INSTALL_ROOT=${DESTDIR:Q}
 CONF_FILES=		${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini
 OWN_DIRS=		${PREFIX}/${PHP_EXTENSION_DIR}
-SUBST_CLASSES+=		cgi
+SUBST_CLASSES+=		path
-SUBST_MESSAGE.cgi=	Fixing CGI path.
+SUBST_MESSAGE.path=	Fixing common paths.
-SUBST_STAGE.cgi=	pre-configure
+SUBST_STAGE.path=	pre-configure
-SUBST_FILES.cgi=	configure
+SUBST_FILES.path=	configure php.ini-dist php.ini-recommended
-SUBST_SED.cgi=		-e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_SED.path=		-e 's,@CGIDIR@,${CGIDIR},g'
 SUBST_SED.path+=	-e 's,@PREFIX@,${PREFIX},g'
 INSTALLATION_DIRS+=	${CGIDIR}
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=	yes
 .endif
 pre-install:
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q}
 post-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \
 		${DESTDIR:Q}${PREFIX:Q}/bin/php
 	${INSTALL_DATA} ${WRKSRC}/sapi/cli/php.1 \
 		${DESTDIR:Q}${PREFIX:Q}/${PKGMANDIR}/man1/php.1
 	${INSTALL_PROGRAM} ${WRKSRC}/sapi/cgi/php-cgi \
 		${DESTDIR:Q}${CGIDIR:Q}/php
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${EGDIR:Q}
 	cd ${WRKSRC}; ${INSTALL_DATA} php.ini-dist php.ini-recommended \
 		${DESTDIR:Q}${EGDIR:Q}
 	${INSTALL_DATA_DIR} ${DESTDIR:Q}${PREFIX:Q}/share/php
 	${INSTALL_DATA} ${WRKSRC}/php.gif ${DESTDIR:Q}${PREFIX:Q}/share/php

 @@ -1,19 +1,24 @@
-$NetBSD: distinfo,v 1.67.2.1 2009/10/22 21:25:08 tron Exp $
+$NetBSD: distinfo,v 1.67.2.2 2009/11/30 23:10:20 tron Exp $
 SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef
 RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654
 Size (php-5.2.11/php-5.2.11.tar.bz2) = 9030787 bytes
 SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1
 RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15
 Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
+SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb
-SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
+SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
 SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50
 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
 SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
-SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc
+SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6
 SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756
 SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4
 SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210
 SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7
 SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92

 @@ -1,25 +1,44 @@
-$NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
+$NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $
---- php.ini-dist.orig	2005-12-30 19:15:55.000000000 +0200
+* Ajust for pkgsrc.
-+++ php.ini-dist	2006-02-05 15:36:13.000000000 +0200
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
-@@ -457,8 +457,9 @@
+	http://svn.php.net/viewvc?view=revision&revision=289990
 --- php.ini-dist.orig	2009-02-14 01:55:18.000000000 +0900
 +++ php.ini-dist
@@ -471,7 +471,7 @@ default_mimetype = "text/html"
  ;;;;;;;;;;;;;;;;;;;;;;;;;
  ; UNIX: "/path1:/path2"
 -;include_path = ".:/php/includes"
 +include_path = ".:@PREFIX@/lib/php"
+ ;
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
@@ -487,8 +487,9 @@ doc_root =
  ; if nonempty.
  user_dir =
 -; Directory in which the loadable extensions (modules) reside.
 -extension_dir = "./"
 +; Directory in which the loadable extensions (modules) reside. If not
 +; defined, then use the extension directory specified at compile-time.
 +; extension_dir = "./"
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -508,7 +509,7 @@
+@@ -546,11 +547,13 @@ file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
 -;upload_tmp_dir =
 +upload_tmp_dir = /tmp
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
 +; Maximum number of files that can be uploaded via a single request
 +max_file_uploads = 100
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;

 @@ -1,25 +1,44 @@
-$NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
+$NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $
---- php.ini-recommended.orig	2005-11-15 00:14:23.000000000 +0100
+* Ajust for pkgsrc.
 * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
 	http://svn.php.net/viewvc?view=revision&revision=289990
 --- php.ini-recommended.orig	2009-03-02 13:44:35.000000000 +0900
 +++ php.ini-recommended
-@@ -515,8 +515,9 @@ doc_root =
+@@ -522,7 +522,7 @@ default_mimetype = "text/html"
  ;;;;;;;;;;;;;;;;;;;;;;;;;
  ; UNIX: "/path1:/path2"
 -;include_path = ".:/php/includes"
 +include_path = ".:@PREFIX@/lib/php"
+ ;
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
@@ -538,8 +538,9 @@ doc_root =
  ; if nonempty.
  user_dir =
 -; Directory in which the loadable extensions (modules) reside.
 -extension_dir = "./"
 +; Directory in which the loadable extensions (modules) reside. If not
 +; defined, then use the extension directory specified at compile-time.
 +; extension_dir = "./"
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -566,7 +567,7 @@ file_uploads = On
+@@ -597,11 +598,13 @@ file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
 -;upload_tmp_dir =
 +upload_tmp_dir = /tmp
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
 +; Maximum number of files that can be uploaded via a single request
 +max_file_uploads = 100
  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;

 @@ -1,17 +1,17 @@
-$NetBSD: patch-ay,v 1.1.2.2 2009/10/22 21:25:08 tron Exp $
+$NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $
 * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
-  from PHP's SVN repositry r289557.
+	http://svn.php.net/viewvc?view=revision&revision=289557
 --- ext/gd/libgd/gd_gd.c.orig	2007-08-09 23:21:38.000000000 +0900
 +++ ext/gd/libgd/gd_gd.c
 @@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP
  			if (!gdGetWord(&im->colorsTotal, in)) {
  				goto fail1;
+ 			}
 +			if (im->colorsTotal > gdMaxColors) {
 +				goto fail1;
 +			}
+ 		}
  		/* Int to accommodate truecolor single-color transparency */
  		if (!gdGetInt(&im->transparent, in)) {

$NetBSD$ * Fix for htmlspecialchars(): http://svn.php.net/viewvc?view=revision&revision=289411 http://svn.php.net/viewvc?view=revision&revision=289554 http://svn.php.net/viewvc?view=revision&revision=289565 http://svn.php.net/viewvc?view=revision&revision=289567 http://svn.php.net/viewvc?view=revision&revision=289605 --- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900 +++ ext/standard/html.c @@ -484,15 +484,31 @@ struct basic_entities_dec { } \ mbseq[mbpos++] = (mbchar); } -#define CHECK_LEN(pos, chars_need) \ - if((str_len - (pos)) < chars_need) { \ - *status = FAILURE; \ - return 0; \ +/* skip one byte and return */ +#define MB_FAILURE(pos) do { \ + *newpos = pos + 1; \ + *status = FAILURE; \ + return 0; \ + } while (0) + +#define CHECK_LEN(pos, chars_need) \ + if (chars_need < 1) { \ + if((str_len - (pos)) < chars_need) { \ + *newpos = pos; \ + *status = FAILURE; \ + return 0; \ + } \ + } else { \ + if((str_len - (pos)) < chars_need) { \ + *newpos = pos + 1; \ + *status = FAILURE; \ + return 0; \ + } \ } /* {{{ get_next_char */ -inline static unsigned short get_next_char(enum entity_charset charset, +inline static unsigned int get_next_char(enum entity_charset charset, unsigned char * str, int str_len, int * newpos, @@ -503,205 +519,189 @@ inline static unsigned short get_next_ch int pos = *newpos; int mbpos = 0; int mbspace = *mbseqlen; - unsigned short this_char = str[pos++]; + unsigned int this_char = 0; unsigned char next_char; *status = SUCCESS; - + if (mbspace <= 0) { *mbseqlen = 0; - return this_char; + CHECK_LEN(pos, 1); + *newpos = pos + 1; + *newpos = pos + 1; } - - MB_WRITE((unsigned char)this_char); - + switch (charset) { case cs_utf_8: { - unsigned long utf = 0; - int stat = 0; - int more = 1; - - /* unpack utf-8 encoding into a wide char. - * Code stolen from the mbstring extension */ - - do { - if (this_char < 0x80) { - more = 0; - if(stat) { - /* we didn't finish the UTF sequence correctly */ - *status = FAILURE; - } - break; - } else if (this_char < 0xc0) { - switch (stat) { - case 0x10: /* 2, 2nd */ - case 0x21: /* 3, 3rd */ - case 0x32: /* 4, 4th */ - case 0x43: /* 5, 5th */ - case 0x54: /* 6, 6th */ - /* last byte in sequence */ - more = 0; - utf |= (this_char & 0x3f); - this_char = (unsigned short)utf; - break; - case 0x20: /* 3, 2nd */ - case 0x31: /* 4, 3rd */ - case 0x42: /* 5, 4th */ - case 0x53: /* 6, 5th */ - /* penultimate char */ - utf |= ((this_char & 0x3f) << 6); - stat++; - break; - case 0x30: /* 4, 2nd */ - case 0x41: /* 5, 3rd */ - case 0x52: /* 6, 4th */ - utf |= ((this_char & 0x3f) << 12); - stat++; - break; - case 0x40: /* 5, 2nd */ - case 0x51: - utf |= ((this_char & 0x3f) << 18); - stat++; - break; - case 0x50: /* 6, 2nd */ - utf |= ((this_char & 0x3f) << 24); - stat++; - break; - default: - /* invalid */ - *status = FAILURE; - more = 0; - } - } - /* lead byte */ - else if (this_char < 0xe0) { - stat = 0x10; /* 2 byte */ - utf = (this_char & 0x1f) << 6; - CHECK_LEN(pos, 1); - } else if (this_char < 0xf0) { - stat = 0x20; /* 3 byte */ - utf = (this_char & 0xf) << 12; - CHECK_LEN(pos, 2); - } else if (this_char < 0xf8) { - stat = 0x30; /* 4 byte */ - utf = (this_char & 0x7) << 18; - CHECK_LEN(pos, 3); - } else if (this_char < 0xfc) { - stat = 0x40; /* 5 byte */ - utf = (this_char & 0x3) << 24; - CHECK_LEN(pos, 4); - } else if (this_char < 0xfe) { - stat = 0x50; /* 6 byte */ - utf = (this_char & 0x1) << 30; - CHECK_LEN(pos, 5); - } else { - /* invalid; bail */ - more = 0; - *status = FAILURE; - break; + unsigned char c; + CHECK_LEN(pos, 1); + c = str[pos]; + if (c < 0x80) { + MB_WRITE(c); + this_char = c; + pos++; + } else if (c < 0xc0) { + MB_FAILURE(pos); + } else if (c < 0xe0) { + CHECK_LEN(pos, 2); + if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { + MB_FAILURE(pos); } - - if (more) { - this_char = str[pos++]; - MB_WRITE((unsigned char)this_char); + this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); + if (this_char < 0x80) { + MB_FAILURE(pos); } - } while (more); + MB_WRITE((unsigned char)c); + MB_WRITE((unsigned char)str[pos + 1]); + pos += 2; + } else if (c < 0xf0) { + CHECK_LEN(pos, 3); + if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { + MB_FAILURE(pos); + } + if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { + MB_FAILURE(pos); + } + this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); + if (this_char < 0x800) { + MB_FAILURE(pos); + } + MB_WRITE((unsigned char)c); + MB_WRITE((unsigned char)str[pos + 1]); + MB_WRITE((unsigned char)str[pos + 2]); + pos += 3; + } else if (c < 0xf8) { + CHECK_LEN(pos, 4); + if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { + MB_FAILURE(pos); + } + if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { + MB_FAILURE(pos); + } + if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) { + MB_FAILURE(pos); + } + this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); + if (this_char < 0x10000) { + MB_FAILURE(pos); + } + MB_WRITE((unsigned char)c); + MB_WRITE((unsigned char)str[pos + 1]); + MB_WRITE((unsigned char)str[pos + 2]); + MB_WRITE((unsigned char)str[pos + 3]); + pos += 4; + } else { + MB_FAILURE(pos); + } } break; case cs_big5: case cs_gb2312: case cs_big5hkscs: { + CHECK_LEN(pos, 1); + this_char = str[pos++]; /* check if this is the first of a 2-byte sequence */ - if (this_char >= 0xa1 && this_char <= 0xfe) { + if (this_char >= 0x81 && this_char <= 0xfe) { /* peek at the next char */ CHECK_LEN(pos, 1); - next_char = str[pos]; + next_char = str[pos++]; if ((next_char >= 0x40 && next_char <= 0x7e) || (next_char >= 0xa1 && next_char <= 0xfe)) { /* yes, this a wide char */ - this_char <<= 8; + MB_WRITE(this_char); MB_WRITE(next_char); - this_char |= next_char; - pos++; + this_char = (this_char << 8) | next_char; + } else { + MB_FAILURE(pos); } - + } else { + MB_WRITE(this_char); } - break; } + break; case cs_sjis: { + CHECK_LEN(pos, 1); + this_char = str[pos++]; /* check if this is the first of a 2-byte sequence */ - if ( (this_char >= 0x81 && this_char <= 0x9f) || - (this_char >= 0xe0 && this_char <= 0xef) - ) { + if ((this_char >= 0x81 && this_char <= 0x9f) || + (this_char >= 0xe0 && this_char <= 0xfc)) { /* peek at the next char */ CHECK_LEN(pos, 1); - next_char = str[pos]; + next_char = str[pos++]; if ((next_char >= 0x40 && next_char <= 0x7e) || (next_char >= 0x80 && next_char <= 0xfc)) { /* yes, this a wide char */ - this_char <<= 8; + MB_WRITE(this_char); MB_WRITE(next_char); - this_char |= next_char; - pos++; + this_char = (this_char << 8) | next_char; + } else { + MB_FAILURE(pos); } - + } else { + MB_WRITE(this_char); } break; } case cs_eucjp: { + CHECK_LEN(pos, 1); + this_char = str[pos++]; /* check if this is the first of a multi-byte sequence */ if (this_char >= 0xa1 && this_char <= 0xfe) { /* peek at the next char */ CHECK_LEN(pos, 1); - next_char = str[pos]; + next_char = str[pos++]; if (next_char >= 0xa1 && next_char <= 0xfe) { /* yes, this a jis kanji char */ - this_char <<= 8; + MB_WRITE(this_char); MB_WRITE(next_char); - this_char |= next_char; - pos++; + this_char = (this_char << 8) | next_char; + } else { + MB_FAILURE(pos); } - } else if (this_char == 0x8e) { /* peek at the next char */ CHECK_LEN(pos, 1); - next_char = str[pos]; + next_char = str[pos++]; if (next_char >= 0xa1 && next_char <= 0xdf) { /* JIS X 0201 kana */ - this_char <<= 8; + MB_WRITE(this_char); MB_WRITE(next_char); - this_char |= next_char; - pos++; + this_char = (this_char << 8) | next_char; + } else { + MB_FAILURE(pos); } - } else if (this_char == 0x8f) { /* peek at the next two char */ unsigned char next2_char; CHECK_LEN(pos, 2); next_char = str[pos]; - next2_char = str[pos+1]; + next2_char = str[pos + 1]; + pos += 2; if ((next_char >= 0xa1 && next_char <= 0xfe) && (next2_char >= 0xa1 && next2_char <= 0xfe)) { /* JIS X 0212 hojo-kanji */ - this_char <<= 8; + MB_WRITE(this_char); MB_WRITE(next_char); - this_char |= next_char; - pos++; - this_char <<= 8; MB_WRITE(next2_char); - this_char |= next2_char; - pos++; + this_char = (this_char << 16) | (next_char << 8) | next2_char; + } else { + MB_FAILURE(pos); } - + } else { + MB_WRITE(this_char); } break; } default: + /* single-byte charsets */ + CHECK_LEN(pos, 1); + this_char = str[pos++]; + MB_WRITE(this_char); break; } MB_RETURN; @@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ int mbseqlen = sizeof(mbsequence); int status = SUCCESS; - unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); + unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); if(status == FAILURE) { /* invalid MB sequence */

$NetBSD: patch-ba,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558: http://svn.php.net/viewvc?view=revision&revision=288934 --- ext/posix/posix.c.orig 2009-08-06 20:11:15.000000000 +0900 +++ ext/posix/posix.c @@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo) RETURN_FALSE; } - if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { + if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || + (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { RETURN_FALSE; }

$NetBSD: patch-bb,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557: http://svn.php.net/viewvc?view=revision&revision=288945 http://svn.php.net/viewvc?view=revision&revision=288971 --- ext/standard/file.c.orig 2009-11-30 10:04:51.000000000 +0900 +++ ext/standard/file.c @@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam) convert_to_string_ex(arg1); convert_to_string_ex(arg2); + if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { + RETURN_FALSE; + } + if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { RETURN_FALSE; }

$NetBSD: patch-bc,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: http://svn.php.net/viewvc?view=revision&revision=289990 --- main/main.c.orig 2009-11-30 10:04:51.000000000 +0900 +++ main/main.c @@ -455,6 +455,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)

$NetBSD: patch-bd,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: http://svn.php.net/viewvc?view=revision&revision=289990 http://svn.php.net/viewvc?view=revision&revision=290820 http://svn.php.net/viewvc?view=revision&revision=290885 --- main/rfc1867.c.orig 2008-12-31 20:17:49.000000000 +0900 +++ main/rfc1867.c @@ -32,6 +32,7 @@ #include "php_globals.h" #include "php_variables.h" #include "rfc1867.h" +#include "php_ini.h" #define DEBUG_FILE_UPLOAD ZEND_DEBUG @@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ zend_llist header; void *event_extra_data = NULL; int llen = 0; + int upload_cnt = INI_INT("max_file_uploads"); - if (SG(request_info).content_length > SG(post_max_size)) { + if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); return; } @@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ /* If file_uploads=off, skip the file part */ if (!PG(file_uploads)) { skip_upload = 1; + } else if (upload_cnt <= 0) { + skip_upload = 1; + sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); } /* Return with an error if the posted data is garbled */ @@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ if (!skip_upload) { /* Handle file */ fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); + upload_cnt--; if (fd==-1) { sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); cancel_upload = UPLOAD_ERROR_E;