[pkgsrc/pkgsrc-2018Q2]: pkgsrc/lang Pullup ticket #5800 - requested by taca

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2018Q2]: pkgsrc/lang Pullup ticket #5800 - requested by taca
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Sun, 14 Oct 2018 23:27:01 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bc03cc5e4126
branches:  pkgsrc-2018Q2
changeset: 313949:bc03cc5e4126
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Aug 17 17:39:36 2018 +0000

description:
Pullup ticket #5800 - requested by taca
lang/php56: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.225
- lang/php56/Makefile.php                                       1.5
- lang/php56/distinfo                                           1.49-1.50
- lang/php56/patches/patch-disable-filter-url                   1.1

---
   Module Name: pkgsrc
   Committed By:        manu
   Date:                Wed Jul 18 07:33:12 UTC 2018

   Modified Files:
        pkgsrc/lang/php56: Makefile.php distinfo
        pkgsrc/lang/php70: Makefile.php distinfo
        pkgsrc/lang/php71: Makefile.php distinfo
        pkgsrc/lang/php72: Makefile.php distinfo
   Added Files:
        pkgsrc/lang/php56/patches: patch-disable-filter-url
        pkgsrc/lang/php70/patches: patch-disable-filter-url
        pkgsrc/lang/php71/patches: patch-disable-filter-url
        pkgsrc/lang/php72/patches: patch-disable-filter-url

   Log Message:
   Add pkgsrc build option disable-filter-url to disable php://filter URL

   php://filter URL is a feature documented here:
   http://php.net/manual/en/wrappers.php.php

   Unfortunately, it allows remote control of include() behavior
   beyond what many developpers expected, enabling easy dump of
   PHP source files. The administrator may want to disable the
   feature for security sake, and this option makes that possible.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Fri Jul 20 13:28:48 UTC 2018

   Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php56: distinfo

   Log Message:
   lang/php56: update to 5.6.37

   19 Jul 2018, PHP 5.6.37

   - Exif:
     . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
       exif_thumbnail_extract of exif.c). (Stas)
     . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
       data). (Stas)

   - Win32:
     . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)

diffstat:

 lang/php/phpversion.mk                      |   4 +-
 lang/php56/Makefile.php                     |   8 +++++-
 lang/php56/distinfo                         |  11 +++++----
 lang/php56/patches/patch-disable-filter-url |  34 +++++++++++++++++++++++++++++
 4 files changed, 48 insertions(+), 9 deletions(-)

diffs (105 lines):

diff -r a44c79982f60 -r bc03cc5e4126 lang/php/phpversion.mk
--- a/lang/php/phpversion.mk    Fri Aug 17 17:37:21 2018 +0000
+++ b/lang/php/phpversion.mk    Fri Aug 17 17:39:36 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.221.2.3 2018/08/17 17:37:21 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.221.2.4 2018/08/17 17:39:36 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -87,7 +87,7 @@
 PHPVERSION_MK= defined
 
 # Define each PHP's version.
-PHP56_VERSION= 5.6.36
+PHP56_VERSION= 5.6.37
 PHP70_VERSION= 7.0.31
 PHP71_VERSION= 7.1.20
 PHP72_VERSION= 7.2.8
diff -r a44c79982f60 -r bc03cc5e4126 lang/php56/Makefile.php
--- a/lang/php56/Makefile.php   Fri Aug 17 17:37:21 2018 +0000
+++ b/lang/php56/Makefile.php   Fri Aug 17 17:39:36 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.php,v 1.4 2017/07/12 09:11:35 manu Exp $
+# $NetBSD: Makefile.php,v 1.4.10.1 2018/08/17 17:39:36 bsiegert Exp $
 # used by lang/php56/Makefile
 # used by www/ap-php/Makefile
 # used by www/php-fpm/Makefile
@@ -42,7 +42,7 @@
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=        inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=        inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=        inet6 ssl
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
@@ -89,5 +89,9 @@
 INSTALL_MAKE_FLAGS+=   -r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+CFLAGS+=               -DDISABLE_FILTER_URL
+.endif
+
 DL_AUTO_VARS=          yes
 .include "../../mk/dlopen.buildlink3.mk"
diff -r a44c79982f60 -r bc03cc5e4126 lang/php56/distinfo
--- a/lang/php56/distinfo       Fri Aug 17 17:37:21 2018 +0000
+++ b/lang/php56/distinfo       Fri Aug 17 17:39:36 2018 +0000
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.48 2018/04/29 16:26:40 taca Exp $
+$NetBSD: distinfo,v 1.48.2.1 2018/08/17 17:39:36 bsiegert Exp $
 
-SHA1 (php-5.6.36.tar.bz2) = c5cf00d9d6e212e1d10cfd45adbe73c936312e43
-RMD160 (php-5.6.36.tar.bz2) = 91d662d8dba9cd6ed9b14244afcae4c12c25ff01
-SHA512 (php-5.6.36.tar.bz2) = 39988e3be529cdbb12aab848de7bc132475e2c81d322403bc7015b6f8c178334f2bc98cad70ea9426596da8ce160d78ce077578d37c668b7bd481da10bbd8bce
-Size (php-5.6.36.tar.bz2) = 15057704 bytes
+SHA1 (php-5.6.37.tar.bz2) = 4672d3d43f3de9aa77799be5bf41f11008e920a5
+RMD160 (php-5.6.37.tar.bz2) = 0690834e3a68fa8ac6d89ac0d73bb50930ab8077
+SHA512 (php-5.6.37.tar.bz2) = 9cdd7710893ceb464a4818b853a2a70a02f55ece1d23cafe9a5529fdfa9ac1b23cf0eb944bd812825ec946901967a76254b10a38db835759be048cbc01795776
+Size (php-5.6.37.tar.bz2) = 15057773 bytes
 SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0
 SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2
+SHA1 (patch-disable-filter-url) = a2b08912d81f2872bf1834fa4cefddb044c9d0f8
 SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19
 SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577
 SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c
diff -r a44c79982f60 -r bc03cc5e4126 lang/php56/patches/patch-disable-filter-url
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php56/patches/patch-disable-filter-url       Fri Aug 17 17:39:36 2018 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 17:39:36 bsiegert Exp $
+
+Add build-time disable option for dangerous php://filter URL
+
+php://filter URL is a feature documented here:
+http://php.net/manual/en/wrappers.php.php
+
+Unfortunately, it allows remote control of include() behavior
+beyond what many developpers expected, enabling easy dump of 
+PHP source files. The administrator may want to disable the
+feature for security sake, and this patch makes that possible.
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -333,8 +333,9 @@
+                               "Error duping file descriptor %ld; possibly it doesn't exist: "
+                               "[%d]: %s", fildes_ori, errno, strerror(errno));
+                       return NULL;
+               }
++#ifndef DISABLE_FILTER_URL
+       } else if (!strncasecmp(path, "filter/", 7)) {
+               /* Save time/memory when chain isn't specified */
+               if (strchr(mode, 'r') || strchr(mode, '+')) {
+                       mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -369,8 +370,9 @@
+               }
+               efree(pathdup);
+ 
+               return stream;
++#endif /* !DISABLE_FILTER_URL */
+       } else {
+               /* invalid php://thingy */
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified");
+               return NULL;

Prev by Date: [pkgsrc/pkgsrc-2018Q2]: pkgsrc/lang Pullup ticket #5798 - requested by taca
Next by Date: [pkgsrc/pkgsrc-2018Q2]: pkgsrc Pullup ticket #5801 - requested by taca
Previous by Thread: [pkgsrc/pkgsrc-2018Q2]: pkgsrc/lang Pullup ticket #5798 - requested by taca
Next by Thread: [pkgsrc/pkgsrc-2018Q2]: pkgsrc Pullup ticket #5801 - requested by taca
Indexes:

Home | Main Index | Thread Index | Old Index