head 1.7; access; symbols pkgsrc-2013Q2:1.7.0.8 pkgsrc-2013Q2-base:1.7 pkgsrc-2012Q4:1.7.0.6 pkgsrc-2012Q4-base:1.7 pkgsrc-2011Q4:1.7.0.4 pkgsrc-2011Q4-base:1.7 pkgsrc-2011Q2:1.7.0.2 pkgsrc-2011Q2-base:1.7 pkgsrc-2009Q4:1.5.0.18 pkgsrc-2009Q4-base:1.5 pkgsrc-2008Q4:1.5.0.16 pkgsrc-2008Q4-base:1.5 pkgsrc-2008Q3:1.5.0.14 pkgsrc-2008Q3-base:1.5 cube-native-xorg:1.5.0.12 cube-native-xorg-base:1.5 pkgsrc-2008Q2:1.5.0.10 pkgsrc-2008Q2-base:1.5 pkgsrc-2008Q1:1.5.0.8 pkgsrc-2008Q1-base:1.5 pkgsrc-2007Q4:1.5.0.6 pkgsrc-2007Q4-base:1.5 pkgsrc-2007Q3:1.5.0.4 pkgsrc-2007Q3-base:1.5 pkgsrc-2007Q2:1.5.0.2 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.2.0.4 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.2 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.1.0.2; locks; strict; comment @# @; 1.7 date 2011.01.07.09.16.28; author taca; state dead; branches; next 1.6; 1.6 date 2011.01.06.22.13.24; author jklos; state Exp; branches; next 1.5; 1.5 date 2007.05.06.20.07.36; author adrianp; state dead; branches; next 1.4; 1.4 date 2007.04.29.12.30.18; author taca; state Exp; branches; next 1.3; 1.3 date 2007.04.28.22.05.51; author sborrill; state Exp; branches; next 1.2; 1.2 date 2006.11.06.22.06.35; author jdolecek; state dead; branches; next 1.1; 1.1 date 2006.10.22.13.19.19; author adrianp; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.10.22.13.19.19; author ghen; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2006.10.29.16.47.58; author ghen; state Exp; branches; next ; desc @@ 1.7 log @Update php5 pacakge to 5.2.17. * patch-ab (Fix VAX floating point handling) is merge to PHP 5.2.17. 06 Jan 2010, PHP 5.2.17 - Fixed Bug #53632 (infinite loop with x87 fpu). (CVE-2010-4645) (Scott, Rasmus) @ text @$NetBSD: patch-ab,v 1.6 2011/01/06 22:13:24 jklos Exp $ --- Zend/zend_strtod.c.orig 2008-09-15 11:47:03.000000000 +0000 +++ Zend/zend_strtod.c @@@@ -164,6 +164,7 @@@@ typedef unsigned long int uint32_t; #ifdef __vax__ #define VAX +#undef IEEE_LITTLE_ENDIAN #endif #if defined(_MSC_VER) @ 1.6 log @Fix VAX floating point handling in zend_strtod.c. @ text @d1 1 a1 1 $NetBSD$ @ 1.5 log @Update 5.2.2 * Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) * Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) * Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) * Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) * Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) * Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser). * Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser) * Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) * Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) * Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) * Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser) * Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser) * Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) * Fixed a remotely trigger-able buffer overflow inside make_http_soap_request() (by Ilia Alshanetsky) * Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky) @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.4 2007/04/29 12:30:18 taca Exp $ d3 7 a9 88 --- TSRM/tsrm_virtual_cwd.c.orig 2007-04-28 22:51:43.000000000 +0100 +++ TSRM/tsrm_virtual_cwd.c 2007-04-28 22:52:15.000000000 +0100 @@@@ -474,7 +474,11 @@@@ realpath_cache_bucket *bucket; time_t t = 0; int ret; + int use_cache; + int use_relative_path = 0; TSRMLS_FETCH(); + + use_cache = ((use_realpath != CWD_EXPAND) && CWDG(realpath_cache_size_limit)); if (path_length == 0) return (0); @@@@ -488,27 +492,32 @@@@ /* cwd_length can be 0 when getcwd() fails. * This can happen under solaris when a dir does not have read permissions * but *does* have execute permissions */ - if (!IS_ABSOLUTE_PATH(path, path_length) && (state->cwd_length > 0)) { - int orig_path_len; - int state_cwd_length = state->cwd_length; + if (!IS_ABSOLUTE_PATH(path, path_length)) { + if (state->cwd_length == 0) { + use_cache = 0; + use_relative_path = 1; + } else { + int orig_path_len; + int state_cwd_length = state->cwd_length; #ifdef TSRM_WIN32 - if (IS_SLASH(path[0])) { - state_cwd_length = 2; - } + if (IS_SLASH(path[0])) { + state_cwd_length = 2; + } #endif - orig_path_len = path_length + state_cwd_length + 1; - if (orig_path_len >= MAXPATHLEN) { - return 1; + orig_path_len = path_length + state_cwd_length + 1; + if (orig_path_len >= MAXPATHLEN) { + return 1; + } + memcpy(orig_path, state->cwd, state_cwd_length); + orig_path[state_cwd_length] = DEFAULT_SLASH; + memcpy(orig_path + state_cwd_length + 1, path, path_length + 1); + path = orig_path; + path_length = orig_path_len; } - memcpy(orig_path, state->cwd, state_cwd_length); - orig_path[state_cwd_length] = DEFAULT_SLASH; - memcpy(orig_path + state_cwd_length + 1, path, path_length + 1); - path = orig_path; - path_length = orig_path_len; } - if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) { + if (use_cache) { t = CWDG(realpath_cache_ttl)?time(NULL):0; if ((bucket = realpath_cache_find(path, path_length, t TSRMLS_CC)) != NULL) { int len = bucket->realpath_len; @@@@ -548,18 +557,19 @@@@ #endif } else { char *ptr, *path_copy, *free_path; - char *tok = NULL; + char *tok; int ptr_length; #ifdef TSRM_WIN32 - int is_unc = 0; + int is_unc; #endif - no_realpath: free_path = path_copy = tsrm_strndup(path, path_length); CWD_STATE_COPY(&old_state, state); -#ifdef TSRM_WIN32 +#ifdef TSRM_WIN32 + ret = 0; + is_unc = 0; if (path_length >= 2 && path[1] == ':') { state->cwd = (char *) realloc(state->cwd, 2 + 1); state->cwd[0] = toupper(path[0]); @@@@ -583,6 +593,7 @@@@ } a10 120 + tok = NULL; ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok); while (ptr) { ptr_length = strlen(ptr); @@@@ -590,6 +601,12 @@@@ if (IS_DIRECTORY_UP(ptr, ptr_length)) { char save; + if (use_relative_path) { + CWD_STATE_FREE(state); + *state = old_state; + return 1; + } + save = DEFAULT_SLASH; #define PREVIOUS state->cwd[state->cwd_length - 1] @@@@ -609,33 +626,38 @@@@ state->cwd_length--; } } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) { - state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1); + if (use_relative_path) { + state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1); + use_relative_path = 0; + } else { + state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1); #ifdef TSRM_WIN32 - /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */ - if (state->cwd_length < 2 || - (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') || - IsDBCSLeadByte(state->cwd[state->cwd_length-2])) { - state->cwd[state->cwd_length++] = DEFAULT_SLASH; - } + /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */ + if (state->cwd_length < 2 || + (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') || + IsDBCSLeadByte(state->cwd[state->cwd_length-2])) { + state->cwd[state->cwd_length++] = DEFAULT_SLASH; + } #elif defined(NETWARE) - /* - Below code keeps appending to state->cwd a File system seperator - cases where this appending should not happen is given below, - a) sys: should just be left as it is - b) sys:system should just be left as it is, - Colon is allowed only in the first token as volume names alone can have the : in their names. - Files and Directories cannot have : in their names - So the check goes like this, - For second token and above simply append the DEFAULT_SLASH to the state->cwd. - For first token check for the existence of : - if it exists don't append the DEFAULT_SLASH to the state->cwd. - */ - if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) { - state->cwd[state->cwd_length++] = DEFAULT_SLASH; - } + /* + Below code keeps appending to state->cwd a File system seperator + cases where this appending should not happen is given below, + a) sys: should just be left as it is + b) sys:system should just be left as it is, + Colon is allowed only in the first token as volume names alone can have the : in their names. + Files and Directories cannot have : in their names + So the check goes like this, + For second token and above simply append the DEFAULT_SLASH to the state->cwd. + For first token check for the existence of : + if it exists don't append the DEFAULT_SLASH to the state->cwd. + */ + if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) { + state->cwd[state->cwd_length++] = DEFAULT_SLASH; + } #else - state->cwd[state->cwd_length++] = DEFAULT_SLASH; + state->cwd[state->cwd_length++] = DEFAULT_SLASH; #endif + } memcpy(&state->cwd[state->cwd_length], ptr, ptr_length+1); #ifdef TSRM_WIN32 @@@@ -652,14 +674,14 @@@@ memcpy(&state->cwd[state->cwd_length], data.cFileName, length+1); ptr_length = length; FindClose(hFind); + ret = 0; } else if (use_realpath == CWD_REALPATH) { if (is_unc) { + /* skip share name */ is_unc--; + ret = 0; } else { - free(free_path); - CWD_STATE_FREE(state); - *state = old_state; - return 1; + ret = 1; } } } @@@@ -672,6 +694,12 @@@@ free(free_path); + if ((use_realpath == CWD_REALPATH) && ret) { + CWD_STATE_FREE(state); + *state = old_state; + return 1; + } + if (state->cwd_length == COPY_WHEN_ABSOLUTE(state->cwd)) { state->cwd = (char *) realloc(state->cwd, state->cwd_length+1+1); state->cwd[state->cwd_length] = DEFAULT_SLASH; @@@@ -680,7 +708,7 @@@@ } } - if (use_realpath != CWD_EXPAND && CWDG(realpath_cache_size_limit)) { + if (use_cache) { realpath_cache_add(path, path_length, state->cwd, state->cwd_length, t TSRMLS_CC); } d12 1 @ 1.4 log @Remove first hunk which contains RCS Id only from patch-ab. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.3 2007/04/28 22:05:51 sborrill Exp $ @ 1.3 log @Patch to fix PHP bug #40326 (cannot open file from cwd if parent folder not readable). Patch will be in 5.2.2, so this patch can be removed once it has been released. @ text @d1 1 a1 1 $NetBSD$ a4 9 @@@@ -17,7 +17,7 @@@@ +----------------------------------------------------------------------+ */ -/* $Id: tsrm_virtual_cwd.c,v 1.74.2.9.2.22 2007/01/26 15:15:05 dmitry Exp $ */ +/* $Id: tsrm_virtual_cwd.c,v 1.74.2.9.2.26 2007/04/12 15:28:58 dmitry Exp $ */ #include #include @ 1.2 log @Update lang/php5 to 5.2.0. Changes since 5.1.6: The key features of PHP 5.2.0 include: * New memory manager for the Zend Engine with improved performance and a more accurate memory usage tracking. * Input filtering extension was added and enabled by default. * JSON extension was added and enabled by default. * ZIP extension for creating and editing zip files was introduced. * Hooks for tracking file upload progress were introduced. * Introduced E_RECOVERABLE_ERROR error mode. * Introduced DateTime and DateTimeZone objects with methods to manipulate date/time information. * Upgraded bundled SQLite, PCRE libraries. * Upgraded OpenSSL, MySQL and PostgreSQL client libraries for Windows installations. * Many performance improvements. * Over 200 bug fixes. Security Enhancements and Fixes in PHP 5.2.0: * Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep track of character set encoding whenever possible. * Added allow_url_include, set to Off by default to disallow use of URLs for include and require. * Disable realpath cache when open_basedir and safe_mode are being used. * Improved safe_mode enforcement for error_log() function. * Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions. * Added missing safe_mode and open_basedir checks for the cURL extension. * Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines. * Fixed handling of long paths inside the tempnam() function. * Fixed safe_mode/open_basedir checks for session.save_path, allowing them to account for extra parameters. * Fixed ini setting overload in the ini_restore() function. For a full list of changes in PHP 5.2.0, see the ChangeLog: http://www.php.net/ChangeLog-5.php#5.2.0 Also other notable extensions changes: * filePRO extension removed (not in PECL yet, php-filepro disabled for PHP5) * JSON added (not enabled by default, packaged in php-json) * filter added (enabled by default) * wddx rewritten to native libxml2, fixing several encoding bugs @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.1 2006/10/22 13:19:19 adrianp Exp $ d3 17 a19 6 # CVE-2006-4625 --- Zend/zend_ini.c.orig 2006-01-04 23:53:04.000000000 +0000 +++ Zend/zend_ini.c @@@@ -256,8 +256,8 @@@@ ZEND_API int zend_restore_ini_entry(char zend_ini_entry *ini_entry; d21 195 d217 3 a219 4 - if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) { - return FAILURE; + if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE || + (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE; a221 1 zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC); @ 1.1 log @Fixes for CVE-2006-4812 and CVE-2006-4625 Bump nb @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ab was added on branch pkgsrc-2006Q3 on 2006-10-22 13:19:19 +0000 @ text @d1 17 @ 1.1.2.2 log @Pullup ticket 1889 - requested by adrianp security fix for php Revisions pulled up: - pkgsrc/lang/php5/Makefile 1.44-1.45 - pkgsrc/lang/php5/Makefile.php 1.20 - pkgsrc/lang/php5/distinfo 1.30 - pkgsrc/lang/php5/patches/patch-aa 1.1 - pkgsrc/lang/php5/patches/patch-ab 1.2 - pkgsrc/lang/www/ap-php/Makefile 1.12 - pkgsrc/lang/www/php4/Makefile 1.71-1.72 - pkgsrc/lang/www/php4/Makefile.php 1.36 - pkgsrc/lang/www/php4/distinfo 1.58 - pkgsrc/lang/www/php4/patches/patch-au 1.3 Module Name: pkgsrc Committed By: jdolecek Date: Fri Oct 20 22:10:34 UTC 2006 Modified Files: pkgsrc/lang/php5: Makefile Makefile.php pkgsrc/www/ap-php: Makefile pkgsrc/www/php4: Makefile Makefile.php Log Message: remove --enable-memory-limit - 8MB is too low, and this just duplicates process resource limits, which already provide necessary "safety net" protection against rogue scripts bump PKGREVISION for this adressess PR pkg/32007 by "pancake" also remove --enable-track-vars, since that configure argument is long gone from PHP --- Module Name: pkgsrc Committed By: adrianp Date: Sun Oct 22 13:16:42 UTC 2006 Modified Files: pkgsrc/www/php4: Makefile distinfo Added Files: pkgsrc/www/php4/patches: patch-au Log Message: Fix for CVE-2006-4625 Bump nb --- Module Name: pkgsrc Committed By: adrianp Date: Sun Oct 22 13:19:19 UTC 2006 Modified Files: pkgsrc/lang/php5: Makefile distinfo Added Files: pkgsrc/lang/php5/patches: patch-aa patch-ab Log Message: Fixes for CVE-2006-4812 and CVE-2006-4625 Bump nb @ text @a0 17 $NetBSD: patch-ab,v 1.1.2.1 2006/10/29 16:47:58 ghen Exp $ # CVE-2006-4625 --- Zend/zend_ini.c.orig 2006-01-04 23:53:04.000000000 +0000 +++ Zend/zend_ini.c @@@@ -256,8 +256,8 @@@@ ZEND_API int zend_restore_ini_entry(char zend_ini_entry *ini_entry; TSRMLS_FETCH(); - if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) { - return FAILURE; + if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE || + (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE; } zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC); @