Pullup ticket #5800 - requested by taca
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.225
- lang/php56/Makefile.php 1.5
- lang/php56/distinfo 1.49-1.50
- lang/php56/patches/patch-disable-filter-url 1.1
---
Module Name: pkgsrc
Committed By: manu
Date: Wed Jul 18 07:33:12 UTC 2018
Modified Files:
pkgsrc/lang/php56: Makefile.php distinfo
pkgsrc/lang/php70: Makefile.php distinfo
pkgsrc/lang/php71: Makefile.php distinfo
pkgsrc/lang/php72: Makefile.php distinfo
Added Files:
pkgsrc/lang/php56/patches: patch-disable-filter-url
pkgsrc/lang/php70/patches: patch-disable-filter-url
pkgsrc/lang/php71/patches: patch-disable-filter-url
pkgsrc/lang/php72/patches: patch-disable-filter-url
Log Message:
Add pkgsrc build option disable-filter-url to disable php://filter URL
php://filter URL is a feature documented here:
http://php.net/manual/en/wrappers.php.php
Unfortunately, it allows remote control of include() behavior
beyond what many developpers expected, enabling easy dump of
PHP source files. The administrator may want to disable the
feature for security sake, and this option makes that possible.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 20 13:28:48 UTC 2018
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
lang/php56: update to 5.6.37
19 Jul 2018, PHP 5.6.37
- Exif:
. Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
exif_thumbnail_extract of exif.c). (Stas)
. Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
data). (Stas)
- Win32:
. Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)
(bsiegert)
diff -r1.221.2.3 -r1.221.2.4 pkgsrc/lang/php/phpversion.mk| @@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
| 1 | # $NetBSD: phpversion.mk,v 1.221.2.3 2018/08/17 17:37:21 bsiegert Exp $ | 1 | # $NetBSD: phpversion.mk,v 1.221.2.4 2018/08/17 17:39:36 bsiegert Exp $ | |
| 2 | # | 2 | # | |
| 3 | # This file selects a PHP version, based on the user's preferences and | 3 | # This file selects a PHP version, based on the user's preferences and | |
| 4 | # the installed packages. It does not add a dependency on the PHP | 4 | # the installed packages. It does not add a dependency on the PHP | |
| 5 | # package. | 5 | # package. | |
| 6 | # | 6 | # | |
| 7 | # === User-settable variables === | 7 | # === User-settable variables === | |
| 8 | # | 8 | # | |
| 9 | # PHP_VERSION_DEFAULT | 9 | # PHP_VERSION_DEFAULT | |
| 10 | # The PHP version to choose when more than one is acceptable to | 10 | # The PHP version to choose when more than one is acceptable to | |
| 11 | # the package. | 11 | # the package. | |
| 12 | # | 12 | # | |
| 13 | # Possible: 56 70 71 72 | 13 | # Possible: 56 70 71 72 | |
| 14 | # Default: 71 | 14 | # Default: 71 | |
| @@ -77,27 +77,27 @@ | @@ -77,27 +77,27 @@ | |||
| 77 | # PHP_EXTENSION_DIR | 77 | # PHP_EXTENSION_DIR | |
| 78 | # Relative path to ${PREFIX} for PHP's extensions. It is derived from | 78 | # Relative path to ${PREFIX} for PHP's extensions. It is derived from | |
| 79 | # initial release of major version. | 79 | # initial release of major version. | |
| 80 | # | 80 | # | |
| 81 | # Example: lib/php/20140828 | 81 | # Example: lib/php/20140828 | |
| 82 | # | 82 | # | |
| 83 | # Keywords: php | 83 | # Keywords: php | |
| 84 | # | 84 | # | |
| 85 | 85 | |||
| 86 | .if !defined(PHPVERSION_MK) | 86 | .if !defined(PHPVERSION_MK) | |
| 87 | PHPVERSION_MK= defined | 87 | PHPVERSION_MK= defined | |
| 88 | 88 | |||
| 89 | # Define each PHP's version. | 89 | # Define each PHP's version. | |
| 90 | PHP56_VERSION= 5.6.36 | 90 | PHP56_VERSION= 5.6.37 | |
| 91 | PHP70_VERSION= 7.0.31 | 91 | PHP70_VERSION= 7.0.31 | |
| 92 | PHP71_VERSION= 7.1.20 | 92 | PHP71_VERSION= 7.1.20 | |
| 93 | PHP72_VERSION= 7.2.8 | 93 | PHP72_VERSION= 7.2.8 | |
| 94 | 94 | |||
| 95 | # Define initial release of major version. | 95 | # Define initial release of major version. | |
| 96 | PHP56_RELDATE= 20140828 | 96 | PHP56_RELDATE= 20140828 | |
| 97 | PHP70_RELDATE= 20151203 | 97 | PHP70_RELDATE= 20151203 | |
| 98 | PHP71_RELDATE= 20160303 | 98 | PHP71_RELDATE= 20160303 | |
| 99 | PHP72_RELDATE= 20170718 | 99 | PHP72_RELDATE= 20170718 | |
| 100 | 100 | |||
| 101 | _VARGROUPS+= php | 101 | _VARGROUPS+= php | |
| 102 | _USER_VARS.php= PHP_VERSION_DEFAULT | 102 | _USER_VARS.php= PHP_VERSION_DEFAULT | |
| 103 | _PKG_VARS.php= PHP_VERSIONS_ACCEPTED PHP_VERSION_REQD | 103 | _PKG_VARS.php= PHP_VERSIONS_ACCEPTED PHP_VERSION_REQD |
| @@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
| 1 | # $NetBSD: Makefile.php,v 1.4 2017/07/12 09:11:35 manu Exp $ | 1 | # $NetBSD: Makefile.php,v 1.4.10.1 2018/08/17 17:39:36 bsiegert Exp $ | |
| 2 | # used by lang/php56/Makefile | 2 | # used by lang/php56/Makefile | |
| 3 | # used by www/ap-php/Makefile | 3 | # used by www/ap-php/Makefile | |
| 4 | # used by www/php-fpm/Makefile | 4 | # used by www/php-fpm/Makefile | |
| 5 | 5 | |||
| 6 | .include "../../lang/php56/Makefile.common" | 6 | .include "../../lang/php56/Makefile.common" | |
| 7 | 7 | |||
| 8 | DISTINFO_FILE= ${.CURDIR}/../../lang/php56/distinfo | 8 | DISTINFO_FILE= ${.CURDIR}/../../lang/php56/distinfo | |
| 9 | PATCHDIR= ${.CURDIR}/../../lang/php56/patches | 9 | PATCHDIR= ${.CURDIR}/../../lang/php56/patches | |
| 10 | 10 | |||
| 11 | USE_LIBTOOL= YES | 11 | USE_LIBTOOL= YES | |
| 12 | USE_LANGUAGES= c c++ | 12 | USE_LANGUAGES= c c++ | |
| 13 | GNU_CONFIGURE= YES | 13 | GNU_CONFIGURE= YES | |
| 14 | BUILD_DEFS+= VARBASE | 14 | BUILD_DEFS+= VARBASE | |
| @@ -32,27 +32,27 @@ CONFIGURE_ARGS+= --without-pear | @@ -32,27 +32,27 @@ CONFIGURE_ARGS+= --without-pear | |||
| 32 | 32 | |||
| 33 | CONFIGURE_ARGS+= --disable-posix | 33 | CONFIGURE_ARGS+= --disable-posix | |
| 34 | CONFIGURE_ARGS+= --disable-opcache | 34 | CONFIGURE_ARGS+= --disable-opcache | |
| 35 | CONFIGURE_ARGS+= --disable-pdo | 35 | CONFIGURE_ARGS+= --disable-pdo | |
| 36 | CONFIGURE_ARGS+= --disable-json | 36 | CONFIGURE_ARGS+= --disable-json | |
| 37 | 37 | |||
| 38 | CONFIGURE_ARGS+= --enable-cgi | 38 | CONFIGURE_ARGS+= --enable-cgi | |
| 39 | CONFIGURE_ARGS+= --enable-mysqlnd | 39 | CONFIGURE_ARGS+= --enable-mysqlnd | |
| 40 | CONFIGURE_ARGS+= --enable-xml | 40 | CONFIGURE_ARGS+= --enable-xml | |
| 41 | CONFIGURE_ARGS+= --with-libxml-dir=${PREFIX} | 41 | CONFIGURE_ARGS+= --with-libxml-dir=${PREFIX} | |
| 42 | .include "../../textproc/libxml2/buildlink3.mk" | 42 | .include "../../textproc/libxml2/buildlink3.mk" | |
| 43 | 43 | |||
| 44 | PKG_OPTIONS_VAR= PKG_OPTIONS.${PHP_PKG_PREFIX} | 44 | PKG_OPTIONS_VAR= PKG_OPTIONS.${PHP_PKG_PREFIX} | |
| 45 | PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline | 45 | PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline disable-filter-url | |
| 46 | PKG_SUGGESTED_OPTIONS+= inet6 ssl | 46 | PKG_SUGGESTED_OPTIONS+= inet6 ssl | |
| 47 | 47 | |||
| 48 | .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD" | 48 | .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD" | |
| 49 | PKG_SUPPORTED_OPTIONS+= dtrace | 49 | PKG_SUPPORTED_OPTIONS+= dtrace | |
| 50 | .endif | 50 | .endif | |
| 51 | 51 | |||
| 52 | .include "../../mk/bsd.options.mk" | 52 | .include "../../mk/bsd.options.mk" | |
| 53 | 53 | |||
| 54 | .if !empty(PKG_OPTIONS:Minet6) | 54 | .if !empty(PKG_OPTIONS:Minet6) | |
| 55 | CONFIGURE_ARGS+= --enable-ipv6 | 55 | CONFIGURE_ARGS+= --enable-ipv6 | |
| 56 | .else | 56 | .else | |
| 57 | CONFIGURE_ARGS+= --disable-ipv6 | 57 | CONFIGURE_ARGS+= --disable-ipv6 | |
| 58 | .endif | 58 | .endif | |
| @@ -79,15 +79,19 @@ USE_GNU_READLINE= yes | @@ -79,15 +79,19 @@ USE_GNU_READLINE= yes | |||
| 79 | CONFIGURE_ARGS+= --with-readline=${BUILDLINK_PREFIX.readline} | 79 | CONFIGURE_ARGS+= --with-readline=${BUILDLINK_PREFIX.readline} | |
| 80 | .else | 80 | .else | |
| 81 | CONFIGURE_ARGS+= --without-readline | 81 | CONFIGURE_ARGS+= --without-readline | |
| 82 | .endif | 82 | .endif | |
| 83 | 83 | |||
| 84 | .if !empty(PKG_OPTIONS:Mdtrace) | 84 | .if !empty(PKG_OPTIONS:Mdtrace) | |
| 85 | PLIST.dtrace= yes | 85 | PLIST.dtrace= yes | |
| 86 | CONFIGURE_ARGS+= --enable-dtrace | 86 | CONFIGURE_ARGS+= --enable-dtrace | |
| 87 | 87 | |||
| 88 | # See https://bugs.php.net/bug.php?id=61268 | 88 | # See https://bugs.php.net/bug.php?id=61268 | |
| 89 | INSTALL_MAKE_FLAGS+= -r | 89 | INSTALL_MAKE_FLAGS+= -r | |
| 90 | .endif | 90 | .endif | |
| 91 | 91 | |||
| 92 | .if !empty(PKG_OPTIONS:Mdisable-filter-url) | |||
| 93 | CFLAGS+= -DDISABLE_FILTER_URL | |||
| 94 | .endif | |||
| 95 | ||||
| 92 | DL_AUTO_VARS= yes | 96 | DL_AUTO_VARS= yes | |
| 93 | .include "../../mk/dlopen.buildlink3.mk" | 97 | .include "../../mk/dlopen.buildlink3.mk" |
| @@ -1,21 +1,22 @@ | @@ -1,21 +1,22 @@ | |||
| 1 | $NetBSD: distinfo,v 1.48 2018/04/29 16:26:40 taca Exp $ | 1 | $NetBSD: distinfo,v 1.48.2.1 2018/08/17 17:39:36 bsiegert Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (php-5.6.36.tar.bz2) = c5cf00d9d6e212e1d10cfd45adbe73c936312e43 | 3 | SHA1 (php-5.6.37.tar.bz2) = 4672d3d43f3de9aa77799be5bf41f11008e920a5 | |
| 4 | RMD160 (php-5.6.36.tar.bz2) = 91d662d8dba9cd6ed9b14244afcae4c12c25ff01 | 4 | RMD160 (php-5.6.37.tar.bz2) = 0690834e3a68fa8ac6d89ac0d73bb50930ab8077 | |
| 5 | SHA512 (php-5.6.36.tar.bz2) = 39988e3be529cdbb12aab848de7bc132475e2c81d322403bc7015b6f8c178334f2bc98cad70ea9426596da8ce160d78ce077578d37c668b7bd481da10bbd8bce | 5 | SHA512 (php-5.6.37.tar.bz2) = 9cdd7710893ceb464a4818b853a2a70a02f55ece1d23cafe9a5529fdfa9ac1b23cf0eb944bd812825ec946901967a76254b10a38db835759be048cbc01795776 | |
| 6 | Size (php-5.6.36.tar.bz2) = 15057704 bytes | 6 | Size (php-5.6.37.tar.bz2) = 15057773 bytes | |
| 7 | SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0 | 7 | SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0 | |
| 8 | SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2 | 8 | SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2 | |
| 9 | SHA1 (patch-disable-filter-url) = a2b08912d81f2872bf1834fa4cefddb044c9d0f8 | |||
| 9 | SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19 | 10 | SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19 | |
| 10 | SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577 | 11 | SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577 | |
| 11 | SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c | 12 | SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c | |
| 12 | SHA1 (patch-ext_pcre_pcrelib_config.h) = 26588e9932ee715e32c872a1c7e2f9c640bd9cf8 | 13 | SHA1 (patch-ext_pcre_pcrelib_config.h) = 26588e9932ee715e32c872a1c7e2f9c640bd9cf8 | |
| 13 | SHA1 (patch-ext_pdo__mysql_config.m4) = 9d25c673fc151e1b8ae137f2a0fc540189ef5398 | 14 | SHA1 (patch-ext_pdo__mysql_config.m4) = 9d25c673fc151e1b8ae137f2a0fc540189ef5398 | |
| 14 | SHA1 (patch-ext_pdo_config.m4) = f6deef3ac631769baa587dd7c27e55bd2e9ca6a5 | 15 | SHA1 (patch-ext_pdo_config.m4) = f6deef3ac631769baa587dd7c27e55bd2e9ca6a5 | |
| 15 | SHA1 (patch-ext_phar_Makefile.frag) = 1564c188e57d48f83de7c2420fdde183598539e2 | 16 | SHA1 (patch-ext_phar_Makefile.frag) = 1564c188e57d48f83de7c2420fdde183598539e2 | |
| 16 | SHA1 (patch-ext_phar_phar_phar.php) = 5a82d55c7965027115065412f9b68defb278db64 | 17 | SHA1 (patch-ext_phar_phar_phar.php) = 5a82d55c7965027115065412f9b68defb278db64 | |
| 17 | SHA1 (patch-ext_recode_recode.c) = a97a1815d6a41410f68c289debbb9396128a2159 | 18 | SHA1 (patch-ext_recode_recode.c) = a97a1815d6a41410f68c289debbb9396128a2159 | |
| 18 | SHA1 (patch-ext_sqlite3_libsqlite_sqlite3.c) = 85cd8f3e115705aa2eeab0e7229f24422e322a7f | 19 | SHA1 (patch-ext_sqlite3_libsqlite_sqlite3.c) = 85cd8f3e115705aa2eeab0e7229f24422e322a7f | |
| 19 | SHA1 (patch-ext_standard_basic__functions.c) = 669fe55c975bf2d971f6fdcb5b3004f7e20304d2 | 20 | SHA1 (patch-ext_standard_basic__functions.c) = 669fe55c975bf2d971f6fdcb5b3004f7e20304d2 | |
| 20 | SHA1 (patch-ext_standard_php__dns.h) = 57c5d6d8ae60da58925abc2c51d66b56762fecda | 21 | SHA1 (patch-ext_standard_php__dns.h) = 57c5d6d8ae60da58925abc2c51d66b56762fecda | |
| 21 | SHA1 (patch-ext_tidy_tidy.c) = dd66f203196af544dcc06fe2229ba23c3086d3e8 | 22 | SHA1 (patch-ext_tidy_tidy.c) = dd66f203196af544dcc06fe2229ba23c3086d3e8 |
$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 17:39:36 bsiegert Exp $
Add build-time disable option for dangerous php://filter URL
php://filter URL is a feature documented here:
http://php.net/manual/en/wrappers.php.php
Unfortunately, it allows remote control of include() behavior
beyond what many developpers expected, enabling easy dump of
PHP source files. The administrator may want to disable the
feature for security sake, and this patch makes that possible.
--- ./ext/standard/php_fopen_wrapper.c.orig
+++ ./ext/standard/php_fopen_wrapper.c
@@ -333,8 +333,9 @@
"Error duping file descriptor %ld; possibly it doesn't exist: "
"[%d]: %s", fildes_ori, errno, strerror(errno));
return NULL;
}
+#ifndef DISABLE_FILTER_URL
} else if (!strncasecmp(path, "filter/", 7)) {
/* Save time/memory when chain isn't specified */
if (strchr(mode, 'r') || strchr(mode, '+')) {
mode_rw |= PHP_STREAM_FILTER_READ;
@@ -369,8 +370,9 @@
}
efree(pathdup);
return stream;
+#endif /* !DISABLE_FILTER_URL */
} else {
/* invalid php://thingy */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified");
return NULL;