Thu Dec 5 16:17:48 2013 UTC ()

Add fix for CVE-2013-6712, ext/date DoS vulnerability.

Bump PKGREVISION.


(taca)

diff -r1.5 -r1.6 pkgsrc/lang/php55/Makefile
diff -r1.10 -r1.11 pkgsrc/lang/php55/distinfo
diff -r0 -r1.1 pkgsrc/lang/php55/patches/patch-ext_date_lib_parse__iso__intervals.c
diff -r0 -r1.1 pkgsrc/lang/php55/patches/patch-ext_date_lib_parse__iso__intervals.re

--- pkgsrc/lang/php55/Attic/Makefile 2013/08/17 13:15:21 1.5
+++ pkgsrc/lang/php55/Attic/Makefile 2013/12/05 16:17:47 1.6

 @@ -1,19 +1,20 @@
-# $NetBSD: Makefile,v 1.5 2013/08/17 13:15:21 taca Exp $
+# $NetBSD: Makefile,v 1.6 2013/12/05 16:17:47 taca Exp $
+#
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
+#
 PKGNAME=		php-${PHP_BASE_VERS}
 PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5.5
 LICENSE=		php
 TEST_TARGET=		test
 USE_TOOLS+=		gmake lex pkg-config
 LIBTOOL_OVERRIDE=	# empty
 PHP_CHECK_INSTALLED=	No
 PHP_VERSIONS_ACCEPTED=		55

--- pkgsrc/lang/php55/Attic/distinfo 2013/11/15 16:33:14 1.10
+++ pkgsrc/lang/php55/Attic/distinfo 2013/12/05 16:17:47 1.11

 @@ -1,20 +1,22 @@
-$NetBSD: distinfo,v 1.10 2013/11/15 16:33:14 taca Exp $
+$NetBSD: distinfo,v 1.11 2013/12/05 16:17:47 taca Exp $
 SHA1 (php-5.5.6.tar.bz2) = 02a30f72b1d6876a41b48548d4f95bf2b4761147
 RMD160 (php-5.5.6.tar.bz2) = 7a9289fe14e0a4edb3ff92eb8e3db9030e77d734
 Size (php-5.5.6.tar.bz2) = 12983030 bytes
 SHA1 (patch-acinclude.m4) = 9e9c433e4cb96e469f7cf14b2064a0f41fc4568a
 SHA1 (patch-configure) = 37b19e0f75619ffe016a1d834dbe774ea4452a2d
 SHA1 (patch-ext_date_lib_parse__iso__intervals.c) = b0810f2e6d23cbc52356b38bc6a8fa545d1a0b6f
 SHA1 (patch-ext_date_lib_parse__iso__intervals.re) = fb27d18d88f13dce8d44de805f255d5af61afef1
 SHA1 (patch-ext_gd_config.m4) = 91c9798333d4776856a0a9e20196986856b758b2
 SHA1 (patch-ext_imap_config.m4) = 01681e8b54ee586ec4db72a5da2d0aec3fa89fcc
 SHA1 (patch-ext_mssql_php__mssql.c) = 4ef1837850443e9db2e71620a3ddaed5ab5c435b
 SHA1 (patch-ext_opcache_config.m4) = 7c0d98feaeec8a0ca61f6f77a1906aa2d601be3f
 SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390
 SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59
 SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba
 SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c
 SHA1 (patch-ext_sockets_sockaddr__conv.c) = ca4a1e97208071b3e28598f23d4b88ffb9b56df4
 SHA1 (patch-ext_standard_basic__functions.c) = f2a44998145306c2cb2d2f3822c0e7cc70c778b4
 SHA1 (patch-makedist) = a2a77c3d15a28fee08fdd88f0c9fee6cbec107d8
 SHA1 (patch-php.ini-development) = b4690be8f589933ee5654bdd7bc80712481711a5
 SHA1 (patch-php.ini-production) = 535ee9bff509ee8cab31cc73ec49b25b3ffdbff5

$NetBSD: patch-ext_date_lib_parse__iso__intervals.c,v 1.1 2013/12/05 16:17:48 taca Exp $

Fix for CVE-2013-6712.

--- ext/date/lib/parse_iso_intervals.c.orig	2013-11-12 14:17:27.000000000 +0000
+++ ext/date/lib/parse_iso_intervals.c
@@ -380,7 +380,7 @@ yy6:
 					break;
 			}
 			ptr++;
-		} while (*ptr);
+		} while (!s->errors->error_count && *ptr);
 		s->have_period = 1;
 		TIMELIB_DEINIT;
 		return TIMELIB_PERIOD;

$NetBSD: patch-ext_date_lib_parse__iso__intervals.re,v 1.1 2013/12/05 16:17:48 taca Exp $

Fix for CVE-2013-6712.

--- ext/date/lib/parse_iso_intervals.re.orig	2013-11-12 14:17:27.000000000 +0000
+++ ext/date/lib/parse_iso_intervals.re
@@ -348,7 +348,7 @@ isoweek          = year4 "-"? "W" weekof
 					break;
 			}
 			ptr++;
-		} while (*ptr);
+		} while (!s->errors->error_count && *ptr);
 		s->have_period = 1;
 		TIMELIB_DEINIT;
 		return TIMELIB_PERIOD;