Wed Aug 14 15:42:56 2013 UTC ()
Add fix fo openssl, CVE-2013-4073.
Bump PKGREVISION.
(taca)
diff -r1.42 -r1.43 pkgsrc/lang/php53/Makefile
diff -r1.66 -r1.67 pkgsrc/lang/php53/distinfo
diff -r0 -r1.1 pkgsrc/lang/php53/patches/patch-ext_openssl_openssl.c
--- pkgsrc/lang/php53/Attic/Makefile 2013/08/13 10:22:26 1.42
+++ pkgsrc/lang/php53/Attic/Makefile 2013/08/14 15:42:56 1.43
| @@ -1,20 +1,20 @@ | | | @@ -1,20 +1,20 @@ |
| 1 | # $NetBSD: Makefile,v 1.42 2013/08/13 10:22:26 joerg Exp $ | | 1 | # $NetBSD: Makefile,v 1.43 2013/08/14 15:42:56 taca Exp $ |
| 2 | | | 2 | |
| 3 | # | | 3 | # |
| 4 | # We can't omit PKGNAME here to handle PKG_OPTIONS. | | 4 | # We can't omit PKGNAME here to handle PKG_OPTIONS. |
| 5 | # | | 5 | # |
| 6 | PKGNAME= php-${PHP_BASE_VERS} | | 6 | PKGNAME= php-${PHP_BASE_VERS} |
| 7 | PKGREVISION= 1 | | 7 | PKGREVISION= 2 |
| 8 | CATEGORIES= lang | | 8 | CATEGORIES= lang |
| 9 | | | 9 | |
| 10 | HOMEPAGE= http://www.php.net/ | | 10 | HOMEPAGE= http://www.php.net/ |
| 11 | COMMENT= PHP Hypertext Preprocessor version 5.3 | | 11 | COMMENT= PHP Hypertext Preprocessor version 5.3 |
| 12 | LICENSE= php | | 12 | LICENSE= php |
| 13 | | | 13 | |
| 14 | TEST_TARGET= test | | 14 | TEST_TARGET= test |
| 15 | | | 15 | |
| 16 | USE_TOOLS+= gmake lex pkg-config | | 16 | USE_TOOLS+= gmake lex pkg-config |
| 17 | LIBTOOL_OVERRIDE= # empty | | 17 | LIBTOOL_OVERRIDE= # empty |
| 18 | PHP_CHECK_INSTALLED= No | | 18 | PHP_CHECK_INSTALLED= No |
| 19 | | | 19 | |
| 20 | PHP_VERSIONS_ACCEPTED?= 53 | | 20 | PHP_VERSIONS_ACCEPTED?= 53 |
--- pkgsrc/lang/php53/Attic/distinfo 2013/07/12 00:07:04 1.66
+++ pkgsrc/lang/php53/Attic/distinfo 2013/08/14 15:42:56 1.67
| @@ -1,23 +1,24 @@ | | | @@ -1,23 +1,24 @@ |
| 1 | $NetBSD: distinfo,v 1.66 2013/07/12 00:07:04 taca Exp $ | | 1 | $NetBSD: distinfo,v 1.67 2013/08/14 15:42:56 taca Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (php-5.3.27.tar.bz2) = 4f95682940ebe1bc1a93812d593460625a2aae64 | | 3 | SHA1 (php-5.3.27.tar.bz2) = 4f95682940ebe1bc1a93812d593460625a2aae64 |
| 4 | RMD160 (php-5.3.27.tar.bz2) = c2887004859f32b25229ffe52d86270c8de194b7 | | 4 | RMD160 (php-5.3.27.tar.bz2) = c2887004859f32b25229ffe52d86270c8de194b7 |
| 5 | Size (php-5.3.27.tar.bz2) = 11432791 bytes | | 5 | Size (php-5.3.27.tar.bz2) = 11432791 bytes |
| 6 | SHA1 (suhosin-patch-5.3.25-0.9.10.patch.bz2) = ce5883b05daf91e8a44fffbfa4d3989ac3311dd1 | | 6 | SHA1 (suhosin-patch-5.3.25-0.9.10.patch.bz2) = ce5883b05daf91e8a44fffbfa4d3989ac3311dd1 |
| 7 | RMD160 (suhosin-patch-5.3.25-0.9.10.patch.bz2) = 6c4d0cfe070802481121be465b66d3cefe44da83 | | 7 | RMD160 (suhosin-patch-5.3.25-0.9.10.patch.bz2) = 6c4d0cfe070802481121be465b66d3cefe44da83 |
| 8 | Size (suhosin-patch-5.3.25-0.9.10.patch.bz2) = 32447 bytes | | 8 | Size (suhosin-patch-5.3.25-0.9.10.patch.bz2) = 32447 bytes |
| 9 | SHA1 (patch-aa) = fd930d0d9b1c60e8c7c514cfb6864b61ce4d158d | | 9 | SHA1 (patch-aa) = fd930d0d9b1c60e8c7c514cfb6864b61ce4d158d |
| 10 | SHA1 (patch-ab) = 5e8f0b91426656cb7f9272d17586ce40ab0fb547 | | 10 | SHA1 (patch-ab) = 5e8f0b91426656cb7f9272d17586ce40ab0fb547 |
| 11 | SHA1 (patch-ac) = e8a7218d74f2f4093acca2160693c9a245e4cfc7 | | 11 | SHA1 (patch-ac) = e8a7218d74f2f4093acca2160693c9a245e4cfc7 |
| 12 | SHA1 (patch-ad) = 6b42868f41335ddfa5a8c1e982819166b05e4ad2 | | 12 | SHA1 (patch-ad) = 6b42868f41335ddfa5a8c1e982819166b05e4ad2 |
| 13 | SHA1 (patch-ae) = 3a354cb5c1253eb375041d8ee8549c2f663e6c74 | | 13 | SHA1 (patch-ae) = 3a354cb5c1253eb375041d8ee8549c2f663e6c74 |
| 14 | SHA1 (patch-af) = 4f5aac4c52ce576f4489cb1f06fdb672745a8fdb | | 14 | SHA1 (patch-af) = 4f5aac4c52ce576f4489cb1f06fdb672745a8fdb |
| 15 | SHA1 (patch-ag) = 84af84bc1144ac8a1fce931edcedd4a3ad0f2fda | | 15 | SHA1 (patch-ag) = 84af84bc1144ac8a1fce931edcedd4a3ad0f2fda |
| 16 | SHA1 (patch-ah) = 697156508da2d837a1ea1a41f036eab4fb87e94b | | 16 | SHA1 (patch-ah) = 697156508da2d837a1ea1a41f036eab4fb87e94b |
| 17 | SHA1 (patch-ai) = 9659f73eef1b4fcca9b844bdaa785ac6d5e582a1 | | 17 | SHA1 (patch-ai) = 9659f73eef1b4fcca9b844bdaa785ac6d5e582a1 |
| 18 | SHA1 (patch-aj) = 181658ae523bd60f67750566711fc078b49191b7 | | 18 | SHA1 (patch-aj) = 181658ae523bd60f67750566711fc078b49191b7 |
| 19 | SHA1 (patch-al) = fe534d7d50a529e3c7d0ffed76afdb70bb55a521 | | 19 | SHA1 (patch-al) = fe534d7d50a529e3c7d0ffed76afdb70bb55a521 |
| | | 20 | SHA1 (patch-ext_openssl_openssl.c) = 1018d60764162ef663089e94d1e133e097f4534c |
| 20 | SHA1 (patch-ext_standard_basic__functions.c) = 017fd25e646af4d7eb2a0bd13b3c8da34eaee8c5 | | 21 | SHA1 (patch-ext_standard_basic__functions.c) = 017fd25e646af4d7eb2a0bd13b3c8da34eaee8c5 |
| 21 | SHA1 (patch-main_streams_cast.c) = d68b69c9418a8780b1610b8755487771f7c46a5a | | 22 | SHA1 (patch-main_streams_cast.c) = d68b69c9418a8780b1610b8755487771f7c46a5a |
| 22 | SHA1 (patch-php__mssql.c) = 524c4e5d7ede0e503049bf1febec58e0c4a29aa4 | | 23 | SHA1 (patch-php__mssql.c) = 524c4e5d7ede0e503049bf1febec58e0c4a29aa4 |
| 23 | SHA1 (patch-sapi_fpm_php-fpm.conf.in) = 86137a37e74badf99c46d1ba7ca5d85f42bedfce | | 24 | SHA1 (patch-sapi_fpm_php-fpm.conf.in) = 86137a37e74badf99c46d1ba7ca5d85f42bedfce |
$NetBSD: patch-ext_openssl_openssl.c,v 1.1 2013/08/14 15:42:56 taca Exp $
Fix for CVE-2013-4073.
--- ext/openssl/openssl.c.orig 2013-07-10 17:43:08.000000000 +0000
+++ ext/openssl/openssl.c
@@ -1326,6 +1326,75 @@ PHP_FUNCTION(openssl_x509_check_private_
}
/* }}} */
+
+/* Special handling of subjectAltName, see CVE-2013-4073
+ * Christian Heimes
+ */
+
+static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
+{
+ GENERAL_NAMES *names;
+ const X509V3_EXT_METHOD *method = NULL;
+ long i, length, num;
+ const unsigned char *p;
+
+ method = X509V3_EXT_get(extension);
+ if (method == NULL) {
+ return -1;
+ }
+
+ p = extension->value->data;
+ length = extension->value->length;
+ if (method->it) {
+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
+ ASN1_ITEM_ptr(method->it)));
+ } else {
+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
+ }
+ if (names == NULL) {
+ return -1;
+ }
+
+ num = sk_GENERAL_NAME_num(names);
+ for (i = 0; i < num; i++) {
+ GENERAL_NAME *name;
+ ASN1_STRING *as;
+ name = sk_GENERAL_NAME_value(names, i);
+ switch (name->type) {
+ case GEN_EMAIL:
+ BIO_puts(bio, "email:");
+ as = name->d.rfc822Name;
+ BIO_write(bio, ASN1_STRING_data(as),
+ ASN1_STRING_length(as));
+ break;
+ case GEN_DNS:
+ BIO_puts(bio, "DNS:");
+ as = name->d.dNSName;
+ BIO_write(bio, ASN1_STRING_data(as),
+ ASN1_STRING_length(as));
+ break;
+ case GEN_URI:
+ BIO_puts(bio, "URI:");
+ as = name->d.uniformResourceIdentifier;
+ BIO_write(bio, ASN1_STRING_data(as),
+ ASN1_STRING_length(as));
+ break;
+ default:
+ /* use builtin print for GEN_OTHERNAME, GEN_X400,
+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
+ */
+ GENERAL_NAME_print(bio, name);
+ }
+ /* trailing ', ' except for last element */
+ if (i < (num - 1)) {
+ BIO_puts(bio, ", ");
+ }
+ }
+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+
+ return 0;
+}
+
/* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
Returns an array of the fields/values of the CERT */
PHP_FUNCTION(openssl_x509_parse)
@@ -1422,15 +1491,29 @@ PHP_FUNCTION(openssl_x509_parse)
for (i = 0; i < X509_get_ext_count(cert); i++) {
+ int nid;
extension = X509_get_ext(cert, i);
- if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
+ nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
+ if (nid != NID_undef) {
extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
} else {
OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
extname = buf;
}
bio_out = BIO_new(BIO_s_mem());
- if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+ if (nid == NID_subject_alt_name) {
+ if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
+ add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+ } else {
+ zval_dtor(return_value);
+ if (certresource == -1 && cert) {
+ X509_free(cert);
+ }
+ BIO_free(bio_out);
+ RETURN_FALSE;
+ }
+ }
+ else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
BIO_get_mem_ptr(bio_out, &bio_buf);
add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
} else {