Mon Nov 30 23:10:20 2009 UTC ()
Pullup ticket #2939 - requested by taca
php5: security patch
Revisions pulled up:
- lang/php5/Makefile 1.73-1.74
- lang/php5/distinfo 1.69-1.70
- lang/php5/patches/patch-ag 1.3
- lang/php5/patches/patch-ah 1.2
- lang/php5/patches/patch-ay 1.2
- lang/php5/patches/patch-az 1.1-1.2
- lang/php5/patches/patch-ba 1.1
- lang/php5/patches/patch-bb 1.1
- lang/php5/patches/patch-bc 1.1
- lang/php5/patches/patch-bd 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 22 14:49:06 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Added Files:
pkgsrc/lang/php5/patches: patch-az
Log Message:
Add patch to check byte sequence more strictly in htmlspecialchars().
http://bugs.php.net/bug.php?id=49785
These are patch refrects r289411, r289554, r289565, r289567 and r289605
in PHP svn repositry.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Nov 30 06:14:08 UTC 2009
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
pkgsrc/lang/php5/patches: patch-ag patch-ah patch-ay patch-az
Added Files:
pkgsrc/lang/php5/patches: patch-ba patch-bb patch-bc patch-bd
Log Message:
Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry.
1. CVE-2009-3292 is already fixed in 5.2.11.
2. CVE-2009-3558
http://svn.php.net/viewvc?view=revision&revision=288934
3. CVE-2009-3557
http://svn.php.net/viewvc?view=revision&revision=288945
http://svn.php.net/viewvc?view=revision&revision=288971
4. CVE-2009-4017
http://svn.php.net/viewvc?view=revision&revision=289990
http://svn.php.net/viewvc?view=revision&revision=290820
http://svn.php.net/viewvc?view=revision&revision=290885
Other pkgsrc changes:
* Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended.
* Add comments to some of patch files.
Bump PKGREVISION.
(tron)
diff -r1.72 -r1.72.4.1 pkgsrc/lang/php5/Makefile
diff -r1.67.2.1 -r1.67.2.2 pkgsrc/lang/php5/distinfo
diff -r1.2 -r1.2.34.1 pkgsrc/lang/php5/patches/patch-ag
diff -r1.1 -r1.1.36.1 pkgsrc/lang/php5/patches/patch-ah
diff -r1.1.2.2 -r1.1.2.3 pkgsrc/lang/php5/patches/patch-ay
diff -r0 -r1.2.2.2 pkgsrc/lang/php5/patches/patch-az
diff -r0 -r1.1.2.2 pkgsrc/lang/php5/patches/patch-ba
diff -r0 -r1.1.2.2 pkgsrc/lang/php5/patches/patch-bb
diff -r0 -r1.1.2.2 pkgsrc/lang/php5/patches/patch-bc
diff -r0 -r1.1.2.2 pkgsrc/lang/php5/patches/patch-bd
--- pkgsrc/lang/php5/Attic/Makefile 2009/06/09 15:15:07 1.72
+++ pkgsrc/lang/php5/Attic/Makefile 2009/11/30 23:10:19 1.72.4.1
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.72 2009/06/09 15:15:07 sketch Exp $ | | 1 | # $NetBSD: Makefile,v 1.72.4.1 2009/11/30 23:10:19 tron Exp $ |
2 | | | 2 | |
3 | PKGNAME= php-${PHP_BASE_VERS} | | 3 | PKGNAME= php-${PHP_BASE_VERS} |
| | | 4 | PKGREVISION= 2 |
4 | CATEGORIES= lang | | 5 | CATEGORIES= lang |
5 | HOMEPAGE= http://www.php.net/ | | 6 | HOMEPAGE= http://www.php.net/ |
6 | COMMENT= PHP Hypertext Preprocessor version 5 | | 7 | COMMENT= PHP Hypertext Preprocessor version 5 |
7 | | | 8 | |
8 | TEST_TARGET= test | | 9 | TEST_TARGET= test |
9 | PKG_DESTDIR_SUPPORT= user-destdir | | 10 | PKG_DESTDIR_SUPPORT= user-destdir |
10 | | | 11 | |
11 | USE_TOOLS+= gmake lex pkg-config | | 12 | USE_TOOLS+= gmake lex pkg-config |
12 | LIBTOOL_OVERRIDE= # empty | | 13 | LIBTOOL_OVERRIDE= # empty |
13 | | | 14 | |
14 | PKG_OPTIONS_REQUIRED_GROUPS+= sapi | | 15 | PKG_OPTIONS_REQUIRED_GROUPS+= sapi |
15 | PKG_OPTIONS_GROUP.sapi= cgi fastcgi | | 16 | PKG_OPTIONS_GROUP.sapi= cgi fastcgi |
16 | PKG_SUGGESTED_OPTIONS+= cgi | | 17 | PKG_SUGGESTED_OPTIONS+= cgi |
| @@ -26,40 +27,40 @@ CONFIGURE_ARGS+= --enable-force-cgi-redi | | | @@ -26,40 +27,40 @@ CONFIGURE_ARGS+= --enable-force-cgi-redi |
26 | CONFIGURE_ARGS+= --enable-fastcgi | | 27 | CONFIGURE_ARGS+= --enable-fastcgi |
27 | .endif | | 28 | .endif |
28 | | | 29 | |
29 | CGIDIR= ${PREFIX}/libexec/cgi-bin | | 30 | CGIDIR= ${PREFIX}/libexec/cgi-bin |
30 | EGDIR= ${PREFIX}/share/examples/php | | 31 | EGDIR= ${PREFIX}/share/examples/php |
31 | MESSAGE_SUBST+= CGIDIR=${CGIDIR:Q} | | 32 | MESSAGE_SUBST+= CGIDIR=${CGIDIR:Q} |
32 | | | 33 | |
33 | CONFIGURE_ENV+= lt_cv_path_SED=${SED:Q} | | 34 | CONFIGURE_ENV+= lt_cv_path_SED=${SED:Q} |
34 | MAKE_ENV+= INSTALL_ROOT=${DESTDIR:Q} | | 35 | MAKE_ENV+= INSTALL_ROOT=${DESTDIR:Q} |
35 | | | 36 | |
36 | CONF_FILES= ${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini | | 37 | CONF_FILES= ${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini |
37 | OWN_DIRS= ${PREFIX}/${PHP_EXTENSION_DIR} | | 38 | OWN_DIRS= ${PREFIX}/${PHP_EXTENSION_DIR} |
38 | | | 39 | |
39 | SUBST_CLASSES+= cgi | | 40 | SUBST_CLASSES+= path |
40 | SUBST_MESSAGE.cgi= Fixing CGI path. | | 41 | SUBST_MESSAGE.path= Fixing common paths. |
41 | SUBST_STAGE.cgi= pre-configure | | 42 | SUBST_STAGE.path= pre-configure |
42 | SUBST_FILES.cgi= configure | | 43 | SUBST_FILES.path= configure php.ini-dist php.ini-recommended |
43 | SUBST_SED.cgi= -e 's,@CGIDIR@,${CGIDIR},g' | | 44 | SUBST_SED.path= -e 's,@CGIDIR@,${CGIDIR},g' |
| | | 45 | SUBST_SED.path+= -e 's,@PREFIX@,${PREFIX},g' |
| | | 46 | |
| | | 47 | INSTALLATION_DIRS+= ${CGIDIR} |
44 | | | 48 | |
45 | # Make sure modules can link correctly | | 49 | # Make sure modules can link correctly |
46 | .if ${OPSYS} == "Darwin" | | 50 | .if ${OPSYS} == "Darwin" |
47 | INSTALL_UNSTRIPPED= yes | | 51 | INSTALL_UNSTRIPPED= yes |
48 | .endif | | 52 | .endif |
49 | | | 53 | |
50 | pre-install: | | | |
51 | ${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q} | | | |
52 | | | | |
53 | post-install: | | 54 | post-install: |
54 | ${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \ | | 55 | ${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \ |
55 | ${DESTDIR:Q}${PREFIX:Q}/bin/php | | 56 | ${DESTDIR:Q}${PREFIX:Q}/bin/php |
56 | ${INSTALL_DATA} ${WRKSRC}/sapi/cli/php.1 \ | | 57 | ${INSTALL_DATA} ${WRKSRC}/sapi/cli/php.1 \ |
57 | ${DESTDIR:Q}${PREFIX:Q}/${PKGMANDIR}/man1/php.1 | | 58 | ${DESTDIR:Q}${PREFIX:Q}/${PKGMANDIR}/man1/php.1 |
58 | ${INSTALL_PROGRAM} ${WRKSRC}/sapi/cgi/php-cgi \ | | 59 | ${INSTALL_PROGRAM} ${WRKSRC}/sapi/cgi/php-cgi \ |
59 | ${DESTDIR:Q}${CGIDIR:Q}/php | | 60 | ${DESTDIR:Q}${CGIDIR:Q}/php |
60 | ${INSTALL_DATA_DIR} ${DESTDIR:Q}${EGDIR:Q} | | 61 | ${INSTALL_DATA_DIR} ${DESTDIR:Q}${EGDIR:Q} |
61 | cd ${WRKSRC}; ${INSTALL_DATA} php.ini-dist php.ini-recommended \ | | 62 | cd ${WRKSRC}; ${INSTALL_DATA} php.ini-dist php.ini-recommended \ |
62 | ${DESTDIR:Q}${EGDIR:Q} | | 63 | ${DESTDIR:Q}${EGDIR:Q} |
63 | ${INSTALL_DATA_DIR} ${DESTDIR:Q}${PREFIX:Q}/share/php | | 64 | ${INSTALL_DATA_DIR} ${DESTDIR:Q}${PREFIX:Q}/share/php |
64 | ${INSTALL_DATA} ${WRKSRC}/php.gif ${DESTDIR:Q}${PREFIX:Q}/share/php | | 65 | ${INSTALL_DATA} ${WRKSRC}/php.gif ${DESTDIR:Q}${PREFIX:Q}/share/php |
65 | | | 66 | |
--- pkgsrc/lang/php5/Attic/distinfo 2009/10/22 21:25:08 1.67.2.1
+++ pkgsrc/lang/php5/Attic/distinfo 2009/11/30 23:10:20 1.67.2.2
| @@ -1,19 +1,24 @@ | | | @@ -1,19 +1,24 @@ |
1 | $NetBSD: distinfo,v 1.67.2.1 2009/10/22 21:25:08 tron Exp $ | | 1 | $NetBSD: distinfo,v 1.67.2.2 2009/11/30 23:10:20 tron Exp $ |
2 | | | 2 | |
3 | SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef | | 3 | SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef |
4 | RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654 | | 4 | RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654 |
5 | Size (php-5.2.11/php-5.2.11.tar.bz2) = 9030787 bytes | | 5 | Size (php-5.2.11/php-5.2.11.tar.bz2) = 9030787 bytes |
6 | SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1 | | 6 | SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2a57a4b1a9dc92cc1 |
7 | RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15 | | 7 | RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15 |
8 | Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes | | 8 | Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes |
9 | SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20 | | 9 | SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20 |
10 | SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e | | 10 | SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb |
11 | SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587 | | 11 | SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01 |
12 | SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc | | 12 | SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc |
13 | SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50 | | 13 | SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50 |
14 | SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602 | | 14 | SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602 |
15 | SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce | | 15 | SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce |
16 | SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df | | 16 | SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df |
17 | SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d | | 17 | SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d |
18 | SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1 | | 18 | SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1 |
19 | SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc | | 19 | SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6 |
| | | 20 | SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756 |
| | | 21 | SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4 |
| | | 22 | SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210 |
| | | 23 | SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7 |
| | | 24 | SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92 |
--- pkgsrc/lang/php5/patches/Attic/patch-ag 2006/02/06 06:39:59 1.2
+++ pkgsrc/lang/php5/patches/Attic/patch-ag 2009/11/30 23:10:20 1.2.34.1
| @@ -1,25 +1,44 @@ | | | @@ -1,25 +1,44 @@ |
1 | $NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $ | | 1 | $NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $ |
2 | | | 2 | |
3 | --- php.ini-dist.orig 2005-12-30 19:15:55.000000000 +0200 | | 3 | * Ajust for pkgsrc. |
4 | +++ php.ini-dist 2006-02-05 15:36:13.000000000 +0200 | | 4 | * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: |
5 | @@ -457,8 +457,9 @@ | | 5 | http://svn.php.net/viewvc?view=revision&revision=289990 |
| | | 6 | |
| | | 7 | --- php.ini-dist.orig 2009-02-14 01:55:18.000000000 +0900 |
| | | 8 | +++ php.ini-dist |
| | | 9 | @@ -471,7 +471,7 @@ default_mimetype = "text/html" |
| | | 10 | ;;;;;;;;;;;;;;;;;;;;;;;;; |
| | | 11 | |
| | | 12 | ; UNIX: "/path1:/path2" |
| | | 13 | -;include_path = ".:/php/includes" |
| | | 14 | +include_path = ".:@PREFIX@/lib/php" |
| | | 15 | ; |
| | | 16 | ; Windows: "\path1;\path2" |
| | | 17 | ;include_path = ".;c:\php\includes" |
| | | 18 | @@ -487,8 +487,9 @@ doc_root = |
6 | ; if nonempty. | | 19 | ; if nonempty. |
7 | user_dir = | | 20 | user_dir = |
8 | | | 21 | |
9 | -; Directory in which the loadable extensions (modules) reside. | | 22 | -; Directory in which the loadable extensions (modules) reside. |
10 | -extension_dir = "./" | | 23 | -extension_dir = "./" |
11 | +; Directory in which the loadable extensions (modules) reside. If not | | 24 | +; Directory in which the loadable extensions (modules) reside. If not |
12 | +; defined, then use the extension directory specified at compile-time. | | 25 | +; defined, then use the extension directory specified at compile-time. |
13 | +; extension_dir = "./" | | 26 | +; extension_dir = "./" |
14 | | | 27 | |
15 | ; Whether or not to enable the dl() function. The dl() function does NOT work | | 28 | ; Whether or not to enable the dl() function. The dl() function does NOT work |
16 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically | | 29 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically |
17 | @@ -508,7 +509,7 @@ | | 30 | @@ -546,11 +547,13 @@ file_uploads = On |
18 | | | 31 | |
19 | ; Temporary directory for HTTP uploaded files (will use system default if not | | 32 | ; Temporary directory for HTTP uploaded files (will use system default if not |
20 | ; specified). | | 33 | ; specified). |
21 | -;upload_tmp_dir = | | 34 | -;upload_tmp_dir = |
22 | +upload_tmp_dir = /tmp | | 35 | +upload_tmp_dir = /tmp |
23 | | | 36 | |
24 | ; Maximum allowed size for uploaded files. | | 37 | ; Maximum allowed size for uploaded files. |
25 | upload_max_filesize = 2M | | 38 | upload_max_filesize = 2M |
| | | 39 | |
| | | 40 | +; Maximum number of files that can be uploaded via a single request |
| | | 41 | +max_file_uploads = 100 |
| | | 42 | |
| | | 43 | ;;;;;;;;;;;;;;;;;; |
| | | 44 | ; Fopen wrappers ; |
--- pkgsrc/lang/php5/patches/Attic/patch-ah 2005/12/06 08:32:22 1.1
+++ pkgsrc/lang/php5/patches/Attic/patch-ah 2009/11/30 23:10:20 1.1.36.1
| @@ -1,25 +1,44 @@ | | | @@ -1,25 +1,44 @@ |
1 | $NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $ | | 1 | $NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $ |
2 | | | 2 | |
3 | --- php.ini-recommended.orig 2005-11-15 00:14:23.000000000 +0100 | | 3 | * Ajust for pkgsrc. |
| | | 4 | * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: |
| | | 5 | http://svn.php.net/viewvc?view=revision&revision=289990 |
| | | 6 | |
| | | 7 | --- php.ini-recommended.orig 2009-03-02 13:44:35.000000000 +0900 |
4 | +++ php.ini-recommended | | 8 | +++ php.ini-recommended |
5 | @@ -515,8 +515,9 @@ doc_root = | | 9 | @@ -522,7 +522,7 @@ default_mimetype = "text/html" |
| | | 10 | ;;;;;;;;;;;;;;;;;;;;;;;;; |
| | | 11 | |
| | | 12 | ; UNIX: "/path1:/path2" |
| | | 13 | -;include_path = ".:/php/includes" |
| | | 14 | +include_path = ".:@PREFIX@/lib/php" |
| | | 15 | ; |
| | | 16 | ; Windows: "\path1;\path2" |
| | | 17 | ;include_path = ".;c:\php\includes" |
| | | 18 | @@ -538,8 +538,9 @@ doc_root = |
6 | ; if nonempty. | | 19 | ; if nonempty. |
7 | user_dir = | | 20 | user_dir = |
8 | | | 21 | |
9 | -; Directory in which the loadable extensions (modules) reside. | | 22 | -; Directory in which the loadable extensions (modules) reside. |
10 | -extension_dir = "./" | | 23 | -extension_dir = "./" |
11 | +; Directory in which the loadable extensions (modules) reside. If not | | 24 | +; Directory in which the loadable extensions (modules) reside. If not |
12 | +; defined, then use the extension directory specified at compile-time. | | 25 | +; defined, then use the extension directory specified at compile-time. |
13 | +; extension_dir = "./" | | 26 | +; extension_dir = "./" |
14 | | | 27 | |
15 | ; Whether or not to enable the dl() function. The dl() function does NOT work | | 28 | ; Whether or not to enable the dl() function. The dl() function does NOT work |
16 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically | | 29 | ; properly in multithreaded servers, such as IIS or Zeus, and is automatically |
17 | @@ -566,7 +567,7 @@ file_uploads = On | | 30 | @@ -597,11 +598,13 @@ file_uploads = On |
18 | | | 31 | |
19 | ; Temporary directory for HTTP uploaded files (will use system default if not | | 32 | ; Temporary directory for HTTP uploaded files (will use system default if not |
20 | ; specified). | | 33 | ; specified). |
21 | -;upload_tmp_dir = | | 34 | -;upload_tmp_dir = |
22 | +upload_tmp_dir = /tmp | | 35 | +upload_tmp_dir = /tmp |
23 | | | 36 | |
24 | ; Maximum allowed size for uploaded files. | | 37 | ; Maximum allowed size for uploaded files. |
25 | upload_max_filesize = 2M | | 38 | upload_max_filesize = 2M |
| | | 39 | |
| | | 40 | +; Maximum number of files that can be uploaded via a single request |
| | | 41 | +max_file_uploads = 100 |
| | | 42 | |
| | | 43 | ;;;;;;;;;;;;;;;;;; |
| | | 44 | ; Fopen wrappers ; |
--- pkgsrc/lang/php5/patches/Attic/patch-ay 2009/10/22 21:25:08 1.1.2.2
+++ pkgsrc/lang/php5/patches/Attic/patch-ay 2009/11/30 23:10:20 1.1.2.3
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | $NetBSD: patch-ay,v 1.1.2.2 2009/10/22 21:25:08 tron Exp $ | | 1 | $NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $ |
2 | | | 2 | |
3 | * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 | | 3 | * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 |
4 | from PHP's SVN repositry r289557. | | 4 | http://svn.php.net/viewvc?view=revision&revision=289557 |
5 | | | 5 | |
6 | --- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900 | | 6 | --- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900 |
7 | +++ ext/gd/libgd/gd_gd.c | | 7 | +++ ext/gd/libgd/gd_gd.c |
8 | @@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP | | 8 | @@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP |
9 | if (!gdGetWord(&im->colorsTotal, in)) { | | 9 | if (!gdGetWord(&im->colorsTotal, in)) { |
10 | goto fail1; | | 10 | goto fail1; |
11 | } | | 11 | } |
12 | + if (im->colorsTotal > gdMaxColors) { | | 12 | + if (im->colorsTotal > gdMaxColors) { |
13 | + goto fail1; | | 13 | + goto fail1; |
14 | + } | | 14 | + } |
15 | } | | 15 | } |
16 | /* Int to accommodate truecolor single-color transparency */ | | 16 | /* Int to accommodate truecolor single-color transparency */ |
17 | if (!gdGetInt(&im->transparent, in)) { | | 17 | if (!gdGetInt(&im->transparent, in)) { |
$NetBSD$
* Fix for htmlspecialchars():
http://svn.php.net/viewvc?view=revision&revision=289411
http://svn.php.net/viewvc?view=revision&revision=289554
http://svn.php.net/viewvc?view=revision&revision=289565
http://svn.php.net/viewvc?view=revision&revision=289567
http://svn.php.net/viewvc?view=revision&revision=289605
--- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900
+++ ext/standard/html.c
@@ -484,15 +484,31 @@ struct basic_entities_dec {
} \
mbseq[mbpos++] = (mbchar); }
-#define CHECK_LEN(pos, chars_need) \
- if((str_len - (pos)) < chars_need) { \
- *status = FAILURE; \
- return 0; \
+/* skip one byte and return */
+#define MB_FAILURE(pos) do { \
+ *newpos = pos + 1; \
+ *status = FAILURE; \
+ return 0; \
+ } while (0)
+
+#define CHECK_LEN(pos, chars_need) \
+ if (chars_need < 1) { \
+ if((str_len - (pos)) < chars_need) { \
+ *newpos = pos; \
+ *status = FAILURE; \
+ return 0; \
+ } \
+ } else { \
+ if((str_len - (pos)) < chars_need) { \
+ *newpos = pos + 1; \
+ *status = FAILURE; \
+ return 0; \
+ } \
}
/* {{{ get_next_char
*/
-inline static unsigned short get_next_char(enum entity_charset charset,
+inline static unsigned int get_next_char(enum entity_charset charset,
unsigned char * str,
int str_len,
int * newpos,
@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch
int pos = *newpos;
int mbpos = 0;
int mbspace = *mbseqlen;
- unsigned short this_char = str[pos++];
+ unsigned int this_char = 0;
unsigned char next_char;
*status = SUCCESS;
-
+
if (mbspace <= 0) {
*mbseqlen = 0;
- return this_char;
+ CHECK_LEN(pos, 1);
+ *newpos = pos + 1;
+ *newpos = pos + 1;
}
-
- MB_WRITE((unsigned char)this_char);
-
+
switch (charset) {
case cs_utf_8:
{
- unsigned long utf = 0;
- int stat = 0;
- int more = 1;
-
- /* unpack utf-8 encoding into a wide char.
- * Code stolen from the mbstring extension */
-
- do {
- if (this_char < 0x80) {
- more = 0;
- if(stat) {
- /* we didn't finish the UTF sequence correctly */
- *status = FAILURE;
- }
- break;
- } else if (this_char < 0xc0) {
- switch (stat) {
- case 0x10: /* 2, 2nd */
- case 0x21: /* 3, 3rd */
- case 0x32: /* 4, 4th */
- case 0x43: /* 5, 5th */
- case 0x54: /* 6, 6th */
- /* last byte in sequence */
- more = 0;
- utf |= (this_char & 0x3f);
- this_char = (unsigned short)utf;
- break;
- case 0x20: /* 3, 2nd */
- case 0x31: /* 4, 3rd */
- case 0x42: /* 5, 4th */
- case 0x53: /* 6, 5th */
- /* penultimate char */
- utf |= ((this_char & 0x3f) << 6);
- stat++;
- break;
- case 0x30: /* 4, 2nd */
- case 0x41: /* 5, 3rd */
- case 0x52: /* 6, 4th */
- utf |= ((this_char & 0x3f) << 12);
- stat++;
- break;
- case 0x40: /* 5, 2nd */
- case 0x51:
- utf |= ((this_char & 0x3f) << 18);
- stat++;
- break;
- case 0x50: /* 6, 2nd */
- utf |= ((this_char & 0x3f) << 24);
- stat++;
- break;
- default:
- /* invalid */
- *status = FAILURE;
- more = 0;
- }
- }
- /* lead byte */
- else if (this_char < 0xe0) {
- stat = 0x10; /* 2 byte */
- utf = (this_char & 0x1f) << 6;
- CHECK_LEN(pos, 1);
- } else if (this_char < 0xf0) {
- stat = 0x20; /* 3 byte */
- utf = (this_char & 0xf) << 12;
- CHECK_LEN(pos, 2);
- } else if (this_char < 0xf8) {
- stat = 0x30; /* 4 byte */
- utf = (this_char & 0x7) << 18;
- CHECK_LEN(pos, 3);
- } else if (this_char < 0xfc) {
- stat = 0x40; /* 5 byte */
- utf = (this_char & 0x3) << 24;
- CHECK_LEN(pos, 4);
- } else if (this_char < 0xfe) {
- stat = 0x50; /* 6 byte */
- utf = (this_char & 0x1) << 30;
- CHECK_LEN(pos, 5);
- } else {
- /* invalid; bail */
- more = 0;
- *status = FAILURE;
- break;
+ unsigned char c;
+ CHECK_LEN(pos, 1);
+ c = str[pos];
+ if (c < 0x80) {
+ MB_WRITE(c);
+ this_char = c;
+ pos++;
+ } else if (c < 0xc0) {
+ MB_FAILURE(pos);
+ } else if (c < 0xe0) {
+ CHECK_LEN(pos, 2);
+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
+ MB_FAILURE(pos);
}
-
- if (more) {
- this_char = str[pos++];
- MB_WRITE((unsigned char)this_char);
+ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
+ if (this_char < 0x80) {
+ MB_FAILURE(pos);
}
- } while (more);
+ MB_WRITE((unsigned char)c);
+ MB_WRITE((unsigned char)str[pos + 1]);
+ pos += 2;
+ } else if (c < 0xf0) {
+ CHECK_LEN(pos, 3);
+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
+ MB_FAILURE(pos);
+ }
+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) {
+ MB_FAILURE(pos);
+ }
+ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
+ if (this_char < 0x800) {
+ MB_FAILURE(pos);
+ }
+ MB_WRITE((unsigned char)c);
+ MB_WRITE((unsigned char)str[pos + 1]);
+ MB_WRITE((unsigned char)str[pos + 2]);
+ pos += 3;
+ } else if (c < 0xf8) {
+ CHECK_LEN(pos, 4);
+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
+ MB_FAILURE(pos);
+ }
+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) {
+ MB_FAILURE(pos);
+ }
+ if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) {
+ MB_FAILURE(pos);
+ }
+ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
+ if (this_char < 0x10000) {
+ MB_FAILURE(pos);
+ }
+ MB_WRITE((unsigned char)c);
+ MB_WRITE((unsigned char)str[pos + 1]);
+ MB_WRITE((unsigned char)str[pos + 2]);
+ MB_WRITE((unsigned char)str[pos + 3]);
+ pos += 4;
+ } else {
+ MB_FAILURE(pos);
+ }
}
break;
case cs_big5:
case cs_gb2312:
case cs_big5hkscs:
{
+ CHECK_LEN(pos, 1);
+ this_char = str[pos++];
/* check if this is the first of a 2-byte sequence */
- if (this_char >= 0xa1 && this_char <= 0xfe) {
+ if (this_char >= 0x81 && this_char <= 0xfe) {
/* peek at the next char */
CHECK_LEN(pos, 1);
- next_char = str[pos];
+ next_char = str[pos++];
if ((next_char >= 0x40 && next_char <= 0x7e) ||
(next_char >= 0xa1 && next_char <= 0xfe)) {
/* yes, this a wide char */
- this_char <<= 8;
+ MB_WRITE(this_char);
MB_WRITE(next_char);
- this_char |= next_char;
- pos++;
+ this_char = (this_char << 8) | next_char;
+ } else {
+ MB_FAILURE(pos);
}
-
+ } else {
+ MB_WRITE(this_char);
}
- break;
}
+ break;
case cs_sjis:
{
+ CHECK_LEN(pos, 1);
+ this_char = str[pos++];
/* check if this is the first of a 2-byte sequence */
- if ( (this_char >= 0x81 && this_char <= 0x9f) ||
- (this_char >= 0xe0 && this_char <= 0xef)
- ) {
+ if ((this_char >= 0x81 && this_char <= 0x9f) ||
+ (this_char >= 0xe0 && this_char <= 0xfc)) {
/* peek at the next char */
CHECK_LEN(pos, 1);
- next_char = str[pos];
+ next_char = str[pos++];
if ((next_char >= 0x40 && next_char <= 0x7e) ||
(next_char >= 0x80 && next_char <= 0xfc))
{
/* yes, this a wide char */
- this_char <<= 8;
+ MB_WRITE(this_char);
MB_WRITE(next_char);
- this_char |= next_char;
- pos++;
+ this_char = (this_char << 8) | next_char;
+ } else {
+ MB_FAILURE(pos);
}
-
+ } else {
+ MB_WRITE(this_char);
}
break;
}
case cs_eucjp:
{
+ CHECK_LEN(pos, 1);
+ this_char = str[pos++];
/* check if this is the first of a multi-byte sequence */
if (this_char >= 0xa1 && this_char <= 0xfe) {
/* peek at the next char */
CHECK_LEN(pos, 1);
- next_char = str[pos];
+ next_char = str[pos++];
if (next_char >= 0xa1 && next_char <= 0xfe) {
/* yes, this a jis kanji char */
- this_char <<= 8;
+ MB_WRITE(this_char);
MB_WRITE(next_char);
- this_char |= next_char;
- pos++;
+ this_char = (this_char << 8) | next_char;
+ } else {
+ MB_FAILURE(pos);
}
-
} else if (this_char == 0x8e) {
/* peek at the next char */
CHECK_LEN(pos, 1);
- next_char = str[pos];
+ next_char = str[pos++];
if (next_char >= 0xa1 && next_char <= 0xdf) {
/* JIS X 0201 kana */
- this_char <<= 8;
+ MB_WRITE(this_char);
MB_WRITE(next_char);
- this_char |= next_char;
- pos++;
+ this_char = (this_char << 8) | next_char;
+ } else {
+ MB_FAILURE(pos);
}
-
} else if (this_char == 0x8f) {
/* peek at the next two char */
unsigned char next2_char;
CHECK_LEN(pos, 2);
next_char = str[pos];
- next2_char = str[pos+1];
+ next2_char = str[pos + 1];
+ pos += 2;
if ((next_char >= 0xa1 && next_char <= 0xfe) &&
(next2_char >= 0xa1 && next2_char <= 0xfe)) {
/* JIS X 0212 hojo-kanji */
- this_char <<= 8;
+ MB_WRITE(this_char);
MB_WRITE(next_char);
- this_char |= next_char;
- pos++;
- this_char <<= 8;
MB_WRITE(next2_char);
- this_char |= next2_char;
- pos++;
+ this_char = (this_char << 16) | (next_char << 8) | next2_char;
+ } else {
+ MB_FAILURE(pos);
}
-
+ } else {
+ MB_WRITE(this_char);
}
break;
}
default:
+ /* single-byte charsets */
+ CHECK_LEN(pos, 1);
+ this_char = str[pos++];
+ MB_WRITE(this_char);
break;
}
MB_RETURN;
@@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex
unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */
int mbseqlen = sizeof(mbsequence);
int status = SUCCESS;
- unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
+ unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
if(status == FAILURE) {
/* invalid MB sequence */
$NetBSD: patch-ba,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558:
http://svn.php.net/viewvc?view=revision&revision=288934
--- ext/posix/posix.c.orig 2009-08-06 20:11:15.000000000 +0900
+++ ext/posix/posix.c
@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo)
RETURN_FALSE;
}
- if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+ if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
+ (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
RETURN_FALSE;
}
$NetBSD: patch-bb,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557:
http://svn.php.net/viewvc?view=revision&revision=288945
http://svn.php.net/viewvc?view=revision&revision=288971
--- ext/standard/file.c.orig 2009-11-30 10:04:51.000000000 +0900
+++ ext/standard/file.c
@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam)
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
+ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+ RETURN_FALSE;
+ }
+
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
$NetBSD: patch-bc,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
http://svn.php.net/viewvc?view=revision&revision=289990
--- main/main.c.orig 2009-11-30 10:04:51.000000000 +0900
+++ main/main.c
@@ -455,6 +455,7 @@ PHP_INI_BEGIN()
PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra)
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
$NetBSD: patch-bd,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
http://svn.php.net/viewvc?view=revision&revision=289990
http://svn.php.net/viewvc?view=revision&revision=290820
http://svn.php.net/viewvc?view=revision&revision=290885
--- main/rfc1867.c.orig 2008-12-31 20:17:49.000000000 +0900
+++ main/rfc1867.c
@@ -32,6 +32,7 @@
#include "php_globals.h"
#include "php_variables.h"
#include "rfc1867.h"
+#include "php_ini.h"
#define DEBUG_FILE_UPLOAD ZEND_DEBUG
@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
zend_llist header;
void *event_extra_data = NULL;
int llen = 0;
+ int upload_cnt = INI_INT("max_file_uploads");
- if (SG(request_info).content_length > SG(post_max_size)) {
+ if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
return;
}
@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
}
/* Return with an error if the posted data is garbled */
@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
if (!skip_upload) {
/* Handle file */
fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+ upload_cnt--;
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;