Thu Dec 5 16:17:15 2013 UTC ()

Add fix for CVE-2013-6712, ext/date DoS vulnerability.

Bump PKGREVISION.


(taca)

diff -r1.14 -r1.15 pkgsrc/lang/php54/Makefile
diff -r1.29 -r1.30 pkgsrc/lang/php54/distinfo
diff -r0 -r1.1 pkgsrc/lang/php54/patches/patch-ext_date_lib_parse__iso__intervals.c
diff -r0 -r1.1 pkgsrc/lang/php54/patches/patch-ext_date_lib_parse__iso__intervals.re

--- pkgsrc/lang/php54/Attic/Makefile 2013/08/16 15:28:23 1.14
+++ pkgsrc/lang/php54/Attic/Makefile 2013/12/05 16:17:15 1.15

 @@ -1,19 +1,20 @@
-# $NetBSD: Makefile,v 1.14 2013/08/16 15:28:23 taca Exp $
+# $NetBSD: Makefile,v 1.15 2013/12/05 16:17:15 taca Exp $
+#
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
+#
 PKGNAME=		php-${PHP_BASE_VERS}
 PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5.4
 LICENSE=		php
 TEST_TARGET=		test
 USE_TOOLS+=		gmake lex pkg-config
 LIBTOOL_OVERRIDE=	# empty
 PHP_CHECK_INSTALLED=	No
 PHP_VERSIONS_ACCEPTED=		54

--- pkgsrc/lang/php54/Attic/distinfo 2013/11/16 09:45:26 1.29
+++ pkgsrc/lang/php54/Attic/distinfo 2013/12/05 16:17:15 1.30

 @@ -1,20 +1,22 @@
-$NetBSD: distinfo,v 1.29 2013/11/16 09:45:26 taca Exp $
+$NetBSD: distinfo,v 1.30 2013/12/05 16:17:15 taca Exp $
 SHA1 (php-5.4.22.tar.bz2) = 4b73d3667a97db1ce32ebf5b98fcc4b2585d981b
 RMD160 (php-5.4.22.tar.bz2) = 578f25e8776b42e3f643bddcce9b92e376171343
 Size (php-5.4.22.tar.bz2) = 12246577 bytes
 SHA1 (patch-acinclude.m4) = 71635e5381abf99a9fc9f2537b1c2f18e8096f00
 SHA1 (patch-configure) = ce3205292370fb279033aaa06138cea1a3725ef1
 SHA1 (patch-ext_date_lib_parse__iso__intervals.c) = c2b18faed698a6ace171ca93cd082985ac3e1b83
 SHA1 (patch-ext_date_lib_parse__iso__intervals.re) = 1a6b18d1d9bec66b0ab67cb2f602cc9ef97678b1
 SHA1 (patch-ext_gd_config.m4) = 2353efe6f25e1081b41d61033c3185cc643c7891
 SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc
 SHA1 (patch-ext_mssql_php__mssql.c) = 732e48b05086180585a3087c2e9737db557dbc3b
 SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390
 SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59
 SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba
 SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c
 SHA1 (patch-ext_standard_basic__functions.c) = 563fe67eb78b786cd46195026381ef22128e0841
 SHA1 (patch-php.ini-development) = 79512bd276adaed6bcf5f7f28e965f8a6b589add
 SHA1 (patch-php.ini-production) = f5d275abe7668a139999b3607e99f271450f56ae
 SHA1 (patch-run-tests.php) = ff80b8ad52d7c0a43fa318ed9bffca9d7b3e688d
 SHA1 (patch-sapi_cgi_Makefile.frag) = c271096b8565e89a85b0189c6f503f3fb5cd4b27
 SHA1 (patch-sapi_fpm_php-fpm.conf.in) = 2369bb6a426a7fb47dc73c88f0daa0f6fa67b593

$NetBSD: patch-ext_date_lib_parse__iso__intervals.c,v 1.1 2013/12/05 16:17:15 taca Exp $

Fix for CVE-2013-6712.

--- ext/date/lib/parse_iso_intervals.c.orig	2013-11-13 06:46:59.000000000 +0000
+++ ext/date/lib/parse_iso_intervals.c
@@ -415,7 +415,7 @@ yy6:
 					break;
 			}
 			ptr++;
-		} while (*ptr);
+		} while (!s->errors->error_count && *ptr);
 		s->have_period = 1;
 		TIMELIB_DEINIT;
 		return TIMELIB_PERIOD;

$NetBSD: patch-ext_date_lib_parse__iso__intervals.re,v 1.1 2013/12/05 16:17:15 taca Exp $

Fix for CVE-2013-6712.

--- ext/date/lib/parse_iso_intervals.re.orig	2013-11-13 06:46:59.000000000 +0000
+++ ext/date/lib/parse_iso_intervals.re
@@ -383,7 +383,7 @@ isoweek          = year4 "-"? "W" weekof
 					break;
 			}
 			ptr++;
-		} while (*ptr);
+		} while (!s->errors->error_count && *ptr);
 		s->have_period = 1;
 		TIMELIB_DEINIT;
 		return TIMELIB_PERIOD;