Thu Jul 28 15:29:47 2016 UTC ()
Pullup ticket #5068 - requested by taca
lang/php70: security update
lang/php: subsequent adjustment

Revisions pulled up:
- lang/php/phpversion.mk                                        1.144
- lang/php70/distinfo                                           1.15

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Jul 24 02:20:16 UTC 2016

   Modified Files:
   	pkgsrc/lang/php: phpversion.mk
   	pkgsrc/lang/php70: distinfo

   Log Message:
   Update php70 to 7.0.9 (PHP 7.0.9).

   21 Jul 2016 PHP 7.0.9

   - Core:
     . Fixed bug #72508 (strange references after recursive function call and
       "switch" statement). (Laruence)
     . Fixed bug #72513 (Stack-based buffer overflow vulnerability in
       virtual_file_ex). (Stas)
     . Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries
       and applications). (Stas)

   - bz2:
     . Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)

   - CLI:
     . Fixed bug #72484 (SCRIPT_FILENAME shows wrong path if the user specify
       router.php). (Laruence)

   - COM:
     . Fixed bug #72498 (variant_date_from_timestamp null dereference). (Anatol)

   - Curl:
     . Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas)

   - Exif:
     . Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
       (Stas)
     . Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
       (Stas)

   - GD:
     . Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
     . Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
     . Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
     . Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
       access). (Pierre)
     . Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
     . Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
       (Pierre)
     . Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine
       overflow). (Pierre)
     . Fixed bug #72494 (imagecropauto out-of-bounds access). (Pierre)

   - Intl:
     . Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)

   - Mbstring:
     . Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) -
       oob read access). (Laruence)
     . Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)

   - mcrypt:
     . Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to
       heap overflow in mdecrypt_generic). (Stas)

   - PDO_pgsql:
     . Fixed bug #72570 (Segmentation fault when binding parameters on a query
       without placeholders). (Matteo)

   - PCRE:
     . Fixed bug #72476 (Memleak in jit_stack). (Laruence)
     . Fixed bug #72463 (mail fails with invalid argument). (Anatol)

   - Readline:
     . Fixed bug #72538 (readline_redisplay crashes php). (Laruence)

   - Standard:
     . Fixed bug #72505 (readfile() mangles files larger than 2G). (Cschneid)
     . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
       (Laruence)

   - Session:
     . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
     . Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
       Deserialization). (Stas)

   - SNMP:
     . Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
       unserialize()). (Stas)

   - Streams:
     . Fixed bug #72439 (Stream socket with remote address leads to a segmentation
       fault). (Laruence)

   - XMLRPC:
     . Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn
       simplestring.c). (Stas)

   - Zip:
     . Fixed bug #72520 (Stack-based buffer overflow vulnerability in
       php_stream_zip_opener). (Stas)

   To generate a diff of this commit:
   cvs rdiff -u -r1.143 -r1.144 pkgsrc/lang/php/phpversion.mk
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/php70/distinfo


(spz)
diff -r1.141.2.1 -r1.141.2.2 pkgsrc/lang/php/phpversion.mk
diff -r1.14 -r1.14.2.1 pkgsrc/lang/php70/distinfo
cvs diff -r1.141.2.1 -r1.141.2.2 pkgsrc/lang/php/phpversion.mk (expand / switch to context diff)
--- pkgsrc/lang/php/phpversion.mk 2016/07/28 14:49:19 1.141.2.1
+++ pkgsrc/lang/php/phpversion.mk 2016/07/28 15:29:47 1.141.2.2
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.141.2.1 2016/07/28 14:49:19 spz Exp $
+# $NetBSD: phpversion.mk,v 1.141.2.2 2016/07/28 15:29:47 spz Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -83,7 +83,7 @@
 # Define each PHP's version.
 PHP55_VERSION=	5.5.38
 PHP56_VERSION=	5.6.24
-PHP70_VERSION=	7.0.8
+PHP70_VERSION=	7.0.9
 
 # Define initial release of major version.
 PHP55_RELDATE=	20130620
cvs diff -r1.14 -r1.14.2.1 pkgsrc/lang/php70/Attic/distinfo (expand / switch to context diff)
--- pkgsrc/lang/php70/Attic/distinfo 2016/06/24 15:27:57 1.14
+++ pkgsrc/lang/php70/Attic/distinfo 2016/07/28 15:29:47 1.14.2.1
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.14 2016/06/24 15:27:57 taca Exp $
+$NetBSD: distinfo,v 1.14.2.1 2016/07/28 15:29:47 spz Exp $
 
-SHA1 (php-7.0.8.tar.bz2) = c21f1d28ca20d69887bd2c020f8c0219f28d8890
-RMD160 (php-7.0.8.tar.bz2) = abf20356587ee6a11a84b64ca46f36257df0c4b1
-SHA512 (php-7.0.8.tar.bz2) = a1a119ff95ad3902264dbc267753af0cf82b5dddbfcf09a8fc2bc519e16021cbf4bc7f2b33c4fec46d7be7bed8db315371ee11390a6055adf908a3b28a6a6921
-Size (php-7.0.8.tar.bz2) = 14105805 bytes
+SHA1 (php-7.0.9.tar.bz2) = bc94c0c0d548ab4b89840994f9f3b468a3d89c4b
+RMD160 (php-7.0.9.tar.bz2) = d6771507506336da29f88ae59e5d93da4207bfdd
+SHA512 (php-7.0.9.tar.bz2) = 730a59a2564a5564165d8f2ddb357658137e86915dcf05b1186de36763860ddb1b0b95297d3a45e50ae77a0a591ae918bad71331e5a5de8309b88e521115c8db
+Size (php-7.0.9.tar.bz2) = 14870061 bytes
 SHA1 (patch-acinclude.m4) = b682280fd89950c082c2226bdb7364b0dc475bad
 SHA1 (patch-configure) = a129e19ef87338f6e53ccc967c40ddcde7c7357c
 SHA1 (patch-ext_gd_config.m4) = a7ec1bd0d876657d4b5e597b9aa1e97c2d2801e3