head 1.5; access; symbols pkgsrc-2013Q2:1.5.0.26 pkgsrc-2013Q2-base:1.5 pkgsrc-2012Q4:1.5.0.24 pkgsrc-2012Q4-base:1.5 pkgsrc-2011Q4:1.5.0.22 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q2:1.5.0.20 pkgsrc-2011Q2-base:1.5 pkgsrc-2009Q4:1.5.0.18 pkgsrc-2009Q4-base:1.5 pkgsrc-2008Q4:1.5.0.16 pkgsrc-2008Q4-base:1.5 pkgsrc-2008Q3:1.5.0.14 pkgsrc-2008Q3-base:1.5 cube-native-xorg:1.5.0.12 cube-native-xorg-base:1.5 pkgsrc-2008Q2:1.5.0.10 pkgsrc-2008Q2-base:1.5 pkgsrc-2008Q1:1.5.0.8 pkgsrc-2008Q1-base:1.5 pkgsrc-2007Q4:1.5.0.6 pkgsrc-2007Q4-base:1.5 pkgsrc-2007Q3:1.5.0.4 pkgsrc-2007Q3-base:1.5 pkgsrc-2007Q2:1.5.0.2 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.3.0.2 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.2.0.2 pkgsrc-2006Q4-base:1.2; locks; strict; comment @# @; 1.5 date 2007.05.06.20.07.37; author adrianp; state dead; branches; next 1.4; 1.4 date 2007.05.06.13.08.33; author tron; state Exp; branches; next 1.3; 1.3 date 2007.02.20.20.46.20; author jdolecek; state dead; branches 1.3.2.1; next 1.2; 1.2 date 2006.11.07.17.24.39; author tron; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2006.11.01.11.33.34; author tron; state Exp; branches; next ; 1.3.2.1 date 2007.05.07.17.36.23; author ghen; state Exp; branches; next 1.3.2.2; 1.3.2.2 date 2007.05.15.23.42.39; author salo; state dead; branches; next ; 1.2.2.1 date 2007.02.23.11.58.10; author ghen; state dead; branches; next ; desc @@ 1.5 log @Update 5.2.2 * Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) * Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) * Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) * Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) * Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) * Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser). * Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser) * Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) * Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) * Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) * Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser) * Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser) * Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) * Fixed a remotely trigger-able buffer overflow inside make_http_soap_request() (by Ilia Alshanetsky) * Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky) @ text @$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $ Patch for CVE-2007-1001, taken from here: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch --- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000 +++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100 @@@@ -116,6 +116,15 @@@@ if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) return (NULL); + if (overflow2(sizeof (int), width)) { + gdFree(wbmp); + return NULL; + } + if (overflow2(sizeof (int) * width, height)) { + gdFree(wbmp); + return NULL; + } + if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) { gdFree (wbmp); @@@@ -176,7 +185,14 @@@@ printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); #endif - if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) + if (overflow2(sizeof (int), wbmp->width) || + overflow2(sizeof (int) * wbmp->width, wbmp->height)) + { + gdFree(wbmp); + return (-1); + } + + if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) { gdFree (wbmp); return (-1); @ 1.4 log @Add security fix for CVE-2007-1001 to "php4-gd" and "php5-gd" packages. Bump package revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update PHP5 to 5.2.1. Includes several important security fixes and large number of other fixes. Update for all users is strongly advised. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.2 2006/11/07 17:24:39 tron Exp $ d3 9 a11 3 --- ext/curl/interface.c.orig 2006-10-11 00:12:59.000000000 +0100 +++ ext/curl/interface.c 2006-11-07 17:17:18.000000000 +0000 @@@@ -28,6 +28,18 @@@@ d13 15 a27 1 #if HAVE_CURL d29 7 a35 7 +#ifndef CURLOPT_PASSWDDATA +#define CURLOPT_PASSWDDATA 0 +#endif + +#ifndef CURLOPT_PASSWDFUNCTION +#define CURLOPT_PASSWDFUNCTION 0 +#endif d37 4 a40 21 +#ifndef CURLOPT_FTPASCII +#define CURLOPT_FTPASCII 0 +#endif + #include #include @@@@ -1158,11 +1170,13 @@@@ dupch->handlers->read->fp = ch->handlers->read->fp; dupch->handlers->read->fd = ch->handlers->read->fd; +#if CURLOPT_PASSWDDATA != 0 if (ch->handlers->passwd) { zval_add_ref(&ch->handlers->passwd); dupch->handlers->passwd = ch->handlers->passwd; curl_easy_setopt(ch->cp, CURLOPT_PASSWDDATA, (void *) dupch); } +#endif if (ch->handlers->write->func_name) { zval_add_ref(&ch->handlers->write->func_name); dupch->handlers->write->func_name = ch->handlers->write->func_name; @ 1.3.2.1 log @Pullup ticket 2078 - requested by tron security fix for php-gd - pkgsrc/graphics/php-gd/Makefile 1.16 - pkgsrc/lang/php5/distinfo 1.39 - pkgsrc/lang/php5/patches/patch-ac 1.4 - pkgsrc/www/php4/distinfo 1.64 - pkgsrc/www/php4/patches/patch-ae 1.7 Module Name: pkgsrc Committed By: tron Date: Sun May 6 13:08:34 UTC 2007 Modified Files: pkgsrc/graphics/php-gd: Makefile pkgsrc/lang/php5: distinfo pkgsrc/www/php4: distinfo Added Files: pkgsrc/lang/php5/patches: patch-ac pkgsrc/www/php4/patches: patch-ae Log Message: Add security fix for CVE-2007-1001 to "php4-gd" and "php5-gd" packages. Bump package revision. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $ d3 5 a7 9 Patch for CVE-2007-1001, taken from here: http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch --- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000 +++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100 @@@@ -116,6 +116,15 @@@@ if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL) return (NULL); d9 7 a15 8 + if (overflow2(sizeof (int), width)) { + gdFree(wbmp); + return NULL; + } + if (overflow2(sizeof (int) * width, height)) { + gdFree(wbmp); + return NULL; + } d17 10 a26 6 if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL) { gdFree (wbmp); @@@@ -176,7 +185,14 @@@@ printf ("W: %d, H: %d\n", wbmp->width, wbmp->height); #endif d28 10 a37 12 - if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) + if (overflow2(sizeof (int), wbmp->width) || + overflow2(sizeof (int) * wbmp->width, wbmp->height)) + { + gdFree(wbmp); + return (-1); + } + + if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL) { gdFree (wbmp); return (-1); @ 1.3.2.2 log @Pullup ticket 2085 - requested by adrianp security update for php5 Updated via patch provided by the submitter. Module Name: pkgsrc Committed By: adrianp Date: Sun May 6 20:07:37 UTC 2007 Modified Files: pkgsrc/lang/php5: Makefile Makefile.common distinfo Removed Files: pkgsrc/lang/php5/patches: patch-ac Log Message: Update 5.2.2 * Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) * Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) * Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) * Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) * Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) * Added missing open_basedir & safe_mode checks to zip:// and bzip:// * wrappers. (MOPB-21 by Stefan Esser). * Limit nesting level of input variables with max_input_nesting_level as fix * for (MOPB-03 by Stefan Esser) * Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) * Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) * Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) * Fixed a header injection via Subject and To parameters to the mail() * function (MOPB-34 by Stefan Esser) * Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan * Esser) * Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) * Fixed a remotely trigger-able buffer overflow inside * make_http_soap_request() (by Ilia Alshanetsky) * Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky) @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.3.2.1 2007/05/07 17:36:23 ghen Exp $ @ 1.2 log @Make "php-5.2.0" build with "curl-7.16.0". @ text @d1 1 a1 1 $NetBSD$ @ 1.2.2.1 log @Pullup ticket 2032 - requested by taca security update for php5 - pkgsrc/graphics/php-gd/Makefile 1.15 - pkgsrc/lang/php5/Makefile.common 1.23 - pkgsrc/lang/php5/Makefile.php 1.22 - pkgsrc/lang/php5/PLIST 1.14 - pkgsrc/lang/php5/distinfo 1.36 - pkgsrc/lang/php5/patches/patch-ac removed - pkgsrc/lang/php5/patches/patch-al 1.3 Module Name: pkgsrc Committed By: jdolecek Date: Tue Feb 20 20:46:20 UTC 2007 Modified Files: pkgsrc/graphics/php-gd: Makefile pkgsrc/lang/php5: Makefile.common Makefile.php PLIST distinfo Added Files: pkgsrc/lang/php5/patches: patch-al Removed Files: pkgsrc/lang/php5/patches: patch-ac Log Message: Update PHP5 to 5.2.1. Includes several important security fixes and large number of other fixes. Update for all users is strongly advised. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.2 2006/11/07 17:24:39 tron Exp $ @ 1.1 log @Add patch to make the "php-curl" package build with version 7.16.0 and newer of the "curl" package. @ text @d3 3 a5 3 --- ext/curl/interface.c.orig 2006-08-10 18:16:35.000000000 +0100 +++ ext/curl/interface.c 2006-11-01 11:27:50.000000000 +0000 @@@@ -28,6 +28,14 @@@@ d9 4 d24 14 @