pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2006Q3]: pkgsrc Pullup ticket 1889 - requested by adrianp
details: https://anonhg.NetBSD.org/pkgsrc/rev/e95a95ec2b66
branches: pkgsrc-2006Q3
changeset: 519147:e95a95ec2b66
user: ghen <ghen%pkgsrc.org@localhost>
date: Sun Oct 29 16:47:58 2006 +0000
description:
Pullup ticket 1889 - requested by adrianp
security fix for php
Revisions pulled up:
- pkgsrc/lang/php5/Makefile 1.44-1.45
- pkgsrc/lang/php5/Makefile.php 1.20
- pkgsrc/lang/php5/distinfo 1.30
- pkgsrc/lang/php5/patches/patch-aa 1.1
- pkgsrc/lang/php5/patches/patch-ab 1.2
- pkgsrc/lang/www/ap-php/Makefile 1.12
- pkgsrc/lang/www/php4/Makefile 1.71-1.72
- pkgsrc/lang/www/php4/Makefile.php 1.36
- pkgsrc/lang/www/php4/distinfo 1.58
- pkgsrc/lang/www/php4/patches/patch-au 1.3
Module Name: pkgsrc
Committed By: jdolecek
Date: Fri Oct 20 22:10:34 UTC 2006
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.php
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php4: Makefile Makefile.php
Log Message:
remove --enable-memory-limit - 8MB is too low, and this just
duplicates process resource limits, which already provide necessary
"safety net" protection against rogue scripts
bump PKGREVISION for this
adressess PR pkg/32007 by "pancake"
also remove --enable-track-vars, since that configure argument
is long gone from PHP
---
Module Name: pkgsrc
Committed By: adrianp
Date: Sun Oct 22 13:16:42 UTC 2006
Modified Files:
pkgsrc/www/php4: Makefile distinfo
Added Files:
pkgsrc/www/php4/patches: patch-au
Log Message:
Fix for CVE-2006-4625
Bump nb
---
Module Name: pkgsrc
Committed By: adrianp
Date: Sun Oct 22 13:19:19 UTC 2006
Modified Files:
pkgsrc/lang/php5: Makefile distinfo
Added Files:
pkgsrc/lang/php5/patches: patch-aa patch-ab
Log Message:
Fixes for CVE-2006-4812 and CVE-2006-4625
Bump nb
diffstat:
lang/php5/Makefile | 3 ++-
lang/php5/Makefile.php | 5 +----
lang/php5/distinfo | 4 +++-
lang/php5/patches/patch-aa | 21 +++++++++++++++++++++
lang/php5/patches/patch-ab | 17 +++++++++++++++++
www/ap-php/Makefile | 3 ++-
www/php4/Makefile | 3 ++-
www/php4/Makefile.php | 4 +---
www/php4/distinfo | 3 ++-
www/php4/patches/patch-au | 16 ++++++++++++++++
10 files changed, 67 insertions(+), 12 deletions(-)
diffs (169 lines):
diff -r a1782fcd50e8 -r e95a95ec2b66 lang/php5/Makefile
--- a/lang/php5/Makefile Wed Oct 18 19:46:13 2006 +0000
+++ b/lang/php5/Makefile Sun Oct 29 16:47:58 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.43 2006/08/19 16:50:44 taca Exp $
+# $NetBSD: Makefile,v 1.43.2.1 2006/10/29 16:47:58 ghen Exp $
PKGNAME= php-${PHP_BASE_VERS}
+PKGREVISION= 2
CATEGORIES= lang
HOMEPAGE= http://www.php.net/
diff -r a1782fcd50e8 -r e95a95ec2b66 lang/php5/Makefile.php
--- a/lang/php5/Makefile.php Wed Oct 18 19:46:13 2006 +0000
+++ b/lang/php5/Makefile.php Sun Oct 29 16:47:58 2006 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.php,v 1.19 2006/06/05 17:24:06 minskim Exp $
+# $NetBSD: Makefile.php,v 1.19.4.1 2006/10/29 16:47:58 ghen Exp $
#
.include "../../lang/php5/Makefile.common"
@@ -26,9 +26,6 @@
CONFIGURE_ARGS+= --without-sqlite
CONFIGURE_ARGS+= --without-iconv
-CONFIGURE_ARGS+= --enable-memory-limit
-CONFIGURE_ARGS+= --enable-track-vars
-
CONFIGURE_ARGS+= --disable-posix
CONFIGURE_ARGS+= --disable-dom
CONFIGURE_ARGS+= --disable-pdo
diff -r a1782fcd50e8 -r e95a95ec2b66 lang/php5/distinfo
--- a/lang/php5/distinfo Wed Oct 18 19:46:13 2006 +0000
+++ b/lang/php5/distinfo Sun Oct 29 16:47:58 2006 +0000
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.29 2006/08/28 12:17:10 taca Exp $
+$NetBSD: distinfo,v 1.29.2.1 2006/10/29 16:47:58 ghen Exp $
SHA1 (php-5.1.6/php-5.1.6.tar.bz2) = a20b946f1de0a8a35a8a6bf437adbba4e5448d27
RMD160 (php-5.1.6/php-5.1.6.tar.bz2) = 7ac52f4674532397c982f6ced594b70dd17522af
Size (php-5.1.6/php-5.1.6.tar.bz2) = 6454408 bytes
+SHA1 (patch-aa) = c1ba60ea1e8df9242b1f3c5078808c7968cf0de8
+SHA1 (patch-ab) = e91b34cd6cfadcc7f39e5832241ea711f1c0f827
SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
diff -r a1782fcd50e8 -r e95a95ec2b66 lang/php5/patches/patch-aa
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-aa Sun Oct 29 16:47:58 2006 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-aa,v 1.1.2.2 2006/10/29 16:47:58 ghen Exp $
+
+# CVE-2006-4812
+
+--- Zend/zend_alloc.c.orig 2006-08-10 18:16:24.000000000 +0100
++++ Zend/zend_alloc.c
+@@ -331,12 +331,12 @@ ZEND_API void *_ecalloc(size_t nmemb, si
+ int final_size = size*nmemb;
+
+ HANDLE_BLOCK_INTERRUPTIONS();
+- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
++ p = _safe_emalloc(nmemb, size, 0 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+ if (!p) {
+ HANDLE_UNBLOCK_INTERRUPTIONS();
+ return (void *) p;
+ }
+- memset(p, 0, final_size);
++ memset(p, 0, size * nmemb);
+ HANDLE_UNBLOCK_INTERRUPTIONS();
+ return p;
+ }
diff -r a1782fcd50e8 -r e95a95ec2b66 lang/php5/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-ab Sun Oct 29 16:47:58 2006 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-ab,v 1.1.2.2 2006/10/29 16:47:58 ghen Exp $
+
+# CVE-2006-4625
+
+--- Zend/zend_ini.c.orig 2006-01-04 23:53:04.000000000 +0000
++++ Zend/zend_ini.c
+@@ -256,8 +256,8 @@ ZEND_API int zend_restore_ini_entry(char
+ zend_ini_entry *ini_entry;
+ TSRMLS_FETCH();
+
+- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+- return FAILURE;
++ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
++ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE;
+ }
+
+ zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC);
diff -r a1782fcd50e8 -r e95a95ec2b66 www/ap-php/Makefile
--- a/www/ap-php/Makefile Wed Oct 18 19:46:13 2006 +0000
+++ b/www/ap-php/Makefile Sun Oct 29 16:47:58 2006 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.11 2006/07/07 15:49:34 jlam Exp $
+# $NetBSD: Makefile,v 1.11.2.1 2006/10/29 16:47:58 ghen Exp $
#
PKGNAME= ${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}-${PHP_BASE_VERS}
+PKGREVISION= 1
COMMENT= Apache (${PKG_APACHE}) module for ${PKG_PHP}
CONFLICTS= ap-php-[0-9]*
diff -r a1782fcd50e8 -r e95a95ec2b66 www/php4/Makefile
--- a/www/php4/Makefile Wed Oct 18 19:46:13 2006 +0000
+++ b/www/php4/Makefile Sun Oct 29 16:47:58 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.70 2006/08/10 23:01:40 adrianp Exp $
+# $NetBSD: Makefile,v 1.70.2.1 2006/10/29 16:47:58 ghen Exp $
PKGNAME= php-${PHP_BASE_VERS}
+PKGREVISION= 2
CATEGORIES+= lang
COMMENT= HTML-embedded scripting language
diff -r a1782fcd50e8 -r e95a95ec2b66 www/php4/Makefile.php
--- a/www/php4/Makefile.php Wed Oct 18 19:46:13 2006 +0000
+++ b/www/php4/Makefile.php Sun Oct 29 16:47:58 2006 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.php,v 1.35 2005/12/05 23:55:23 rillig Exp $
+# $NetBSD: Makefile.php,v 1.35.8.1 2006/10/29 16:47:58 ghen Exp $
.include "../../www/php4/Makefile.common"
@@ -22,8 +22,6 @@
.include "../../mk/bsd.prefs.mk"
CONFIGURE_ARGS+= --with-regex=system
-CONFIGURE_ARGS+= --enable-memory-limit
-CONFIGURE_ARGS+= --enable-track-vars
# Support for linking some PHP4 extensions statically into the php CGI and
# into the apache mod_php.so DSO.
diff -r a1782fcd50e8 -r e95a95ec2b66 www/php4/distinfo
--- a/www/php4/distinfo Wed Oct 18 19:46:13 2006 +0000
+++ b/www/php4/distinfo Sun Oct 29 16:47:58 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.57 2006/08/20 09:44:59 adrianp Exp $
+$NetBSD: distinfo,v 1.57.2.1 2006/10/29 16:47:58 ghen Exp $
SHA1 (php-4.4.4.tar.bz2) = 05d62910fb5734344db87f0a17b1e8e001b26b05
RMD160 (php-4.4.4.tar.bz2) = 02fd7d5135a9e5ce11d905a4a474a5d42b8441f3
@@ -15,3 +15,4 @@
SHA1 (patch-ao) = 0fd4becf023451ac8cb185df354830efc86c1344
SHA1 (patch-ap) = 2f852abd1e9d0f089add18b2eade2831253ad00e
SHA1 (patch-at) = f8b3aebd61fe2d5b5a994e1d973424a1ed397f63
+SHA1 (patch-au) = 8b8e317dbb9cfc265bf29ebe0827d9b734a1a3b7
diff -r a1782fcd50e8 -r e95a95ec2b66 www/php4/patches/patch-au
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-au Sun Oct 29 16:47:58 2006 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-au,v 1.2.2.1 2006/10/29 16:47:58 ghen Exp $
+
+# CVE-2006-4625
+
+--- Zend/zend_ini.c.orig 2005-09-02 22:09:03.000000000 +0100
++++ Zend/zend_ini.c
+@@ -256,7 +256,8 @@ ZEND_API int zend_restore_ini_entry(char
+ zend_ini_entry *ini_entry;
+ TSRMLS_FETCH();
+
+- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
++ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
++ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifyable & ZEND_INI_USER) == 0)) { return FAILURE;
+ return FAILURE;
+ }
+
Home |
Main Index |
Thread Index |
Old Index