Mon Mar 21 16:08:29 2011 UTC ()

Add a patch to fix bug #54193 (Integer overflow in shmop_read()) referring
r309018 from PHPs' repository.  (CVE-2011-1092)

Bump PKGREVISION of devel/php-shmop.


(taca)

diff -r1.9 -r1.10 pkgsrc/devel/php-shmop/Makefile
diff -r1.87 -r1.88 pkgsrc/lang/php5/distinfo
diff -r0 -r1.1 pkgsrc/lang/php5/patches/patch-ext_shmop_shmop.c

--- pkgsrc/devel/php-shmop/Makefile 2008/06/12 02:14:28 1.9
+++ pkgsrc/devel/php-shmop/Makefile 2011/03/21 16:08:28 1.10

 @@ -1,14 +1,15 @@
-# $NetBSD: Makefile,v 1.9 2008/06/12 02:14:28 joerg Exp $
+# $NetBSD: Makefile,v 1.10 2011/03/21 16:08:28 taca Exp $
 MODNAME=		shmop
 PKGREVISION=		1
 CATEGORIES+=		devel
 COMMENT=		PHP extension for simple SysV shared memory operations
 PKG_DESTDIR_SUPPORT=	user-destdir
 CONFLICTS=	php-shmop-[0-9]*
 CONFIGURE_ARGS+=	--enable-${MODNAME}=shared,${BUILDLINK_DIR}
 .include "../../lang/php/ext.mk"
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/lang/php5/Attic/distinfo 2011/02/21 16:26:49 1.87
+++ pkgsrc/lang/php5/Attic/distinfo 2011/03/21 16:08:29 1.88

 @@ -1,22 +1,20 @@
-$NetBSD: distinfo,v 1.87 2011/02/21 16:26:49 taca Exp $
+$NetBSD: distinfo,v 1.88 2011/03/21 16:08:29 taca Exp $
 SHA1 (php-5.2.17/php-5.2.17.tar.bz2) = d68f3b09f766990d815a3c4c63c157db8dab8095
 RMD160 (php-5.2.17/php-5.2.17.tar.bz2) = 567fa8d718b93fb83a89494c83a8bec224ac99e9
 Size (php-5.2.17/php-5.2.17.tar.bz2) = 9092312 bytes
 SHA1 (php-5.2.17/suhosin-patch-5.2.16-0.9.7.patch.gz) = fec10b2b81582d06bb0d0a96ea55c525afc8ab29
 RMD160 (php-5.2.17/suhosin-patch-5.2.16-0.9.7.patch.gz) = b28b70faf136b3e04c5b483da0f4c2279378f43a
 Size (php-5.2.17/suhosin-patch-5.2.16-0.9.7.patch.gz) = 23069 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
 SHA1 (patch-af) = 68c5a31dccf1854ba1aff653e4c524767d6a64f6
 SHA1 (patch-ag) = 5e3e822657925a77fbccaca63f283863a1cc6d94
 SHA1 (patch-ah) = a25cb7fa3d1f5b9fb99493a4348fdba69d3d4728
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
 SHA1 (patch-al) = 257129124d46a84f7342b1a00f0cab073066e7cb
 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
 SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
 SHA1 (patch-ext_exif_exif.c) = 0a6ab268751e633510cb6b334b1bdb84a014b528
 SHA1 (patch-ext_shmop_shmop.c) = 6e11b87dd71ff26357b14b61df626c40b40a022d
 SHA1 (patch-ext_zip_lib_zip__name__locate.c) = 4030e37ae4f93dbcb1a3a937a5407c2c406a49d6
 SHA1 (patch-ext_zip_php__zip.c) = 134fa566a689d72d63a2fa0aa5c96c4595619089

$NetBSD: patch-ext_shmop_shmop.c,v 1.1 2011/03/21 16:08:29 taca Exp $

Fix for CVE-2011-1092.

--- ext/shmop/shmop.c.orig	2010-01-03 09:23:27.000000000 +0000
+++ ext/shmop/shmop.c
@@ -223,7 +223,7 @@ PHP_FUNCTION(shmop_read)
 		RETURN_FALSE;
 	}
 
-	if (start + count > shmop->size || count < 0) {
+	if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
 		RETURN_FALSE;
 	}