OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 03-Dec-2005 18:49:08
Branch: OPENPKG_2_5_SOLID Handle: 2005120317490701
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/apache apache.patch.php apache.spec
Log:
Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389,
CVE-2005-3390, CVE-2005-3391)
Summary:
Revision Changes Path
1.5.4.1 +266 -0 openpkg-src/apache/apache.patch.php
1.308.2.5 +1 -1 openpkg-src/apache/apache.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.patch.php
============================================================================
$ cvs diff -u -r1.5 -r1.5.4.1 apache.patch.php
--- openpkg-src/apache/apache.patch.php 1 Apr 2005 06:20:27 -0000
1.5
+++ openpkg-src/apache/apache.patch.php 3 Dec 2005 17:49:07 -0000
1.5.4.1
@@ -60,3 +60,269 @@
} else {
PDF_open_mem(pdf, pdf_flushwrite);
}
+
+-----------------------------------------------------------------------------
+
+Security Fix (CAN-2005-3054)
+
+Index: main/fopen_wrappers.c
+--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
++++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
+@@ -120,8 +120,8 @@
+ /* Handler for basedirs that end with a / */
+ resolved_basedir_len = strlen(resolved_basedir);
+ if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
+- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
+- resolved_basedir[resolved_basedir_len - 1] =
PHP_DIR_SEPARATOR;
++ if (resolved_basedir[resolved_basedir_len - 1] !=
PHP_DIR_SEPARATOR) {
++ resolved_basedir[resolved_basedir_len] =
PHP_DIR_SEPARATOR;
+ resolved_basedir[++resolved_basedir_len] = '\0';
+ }
+ }
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3353)
+
+Index: ext/exif/exif.c
+--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
++++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
+@@ -3014,6 +3014,12 @@
+ }
+ }
+ /*
++ * Ignore IFD2 if it purportedly exists
++ */
++ if (section_index == SECTION_THUMBNAIL) {
++ return TRUE;
++ }
++ /*
+ * Hack to make it process IDF1 I hope
+ * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202)
to the thumbnail
+ */
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3388)
+
+Index: ext/standard/info.c
+--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
++++ ext/standard/info.c 2005-12-03 17:42:11 +0100
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3)
TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0,
ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0,
ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3389)
+
+Index: ext/standard/string.c
+--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
++++ ext/standard/string.c 2005-12-03 17:43:25 +0100
+@@ -3179,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount,
&arg, &arrayArg) == FAILURE) {
+@@ -3192,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3390)
+
+Index: ext/standard/array.c
+--- ext/standard/array.c.orig 2005-06-21 14:11:19 +0200
++++ ext/standard/array.c 2005-12-03 17:54:00 +0100
+@@ -1252,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS"))
{
++ break;
++ }
+ smart_str_appendl(&final_name, var_name,
var_name_len);
+ break;
+
+Index: ext/standard/basic_functions.c
+--- ext/standard/basic_functions.c.orig 2005-05-16 10:55:31 +0200
++++ ext/standard/basic_functions.c 2005-12-03 17:54:00 +0100
+@@ -3038,11 +3038,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric
key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted
GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
++
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey,
hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix,
hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len,
*var, (*var)->refcount+1, 0);
+Index: main/php_variables.c
+--- main/php_variables.c.orig 2005-05-17 20:42:35 +0200
++++ main/php_variables.c 2005-12-03 17:54:00 +0100
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) ||
!strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not
binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3391)
+
+Index: ext/curl/curl.c
+--- ext/curl/curl.c.orig 2005-06-02 23:05:06 +0200
++++ ext/curl/curl.c 2005-12-03 17:57:09 +0100
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *)
v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len)
\
+- if (PG(open_basedir) && *PG(open_basedir) &&
\
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&
\
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0)
\
+ {
\
+ php_url *tmp_url;
\
+@@ -76,7 +76,7 @@
+ RETURN_FALSE;
\
+ }
\
+
\
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
\
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path
TSRMLS_CC) ||
\
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+",
CHECKUID_CHECK_MODE_PARAM)) \
+ ) {
\
+ php_url_free(tmp_url);
\
+@@ -992,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir
check */
++ if
(php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) &&
!php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first,
&last,
+
CURLFORM_COPYNAME, string_key,
+
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+-
CURLFORM_FILE, ++postval,
++
CURLFORM_FILE, postval,
+
CURLFORM_END);
+ }
+ else {
+Index: ext/gd/gd.c
+--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
++++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
+@@ -1644,7 +1644,7 @@
+ }
+
+ if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+- if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC)) {
++ if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+",
CHECKUID_CHECK_FILE_AND_DIR))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
filename '%s'", fn);
+ RETURN_FALSE;
+ }
+Index: ext/gd/gd_ctx.c
+--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
++++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
+@@ -73,7 +73,7 @@
+ }
+
+ if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+- if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC)) {
++ if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+",
CHECKUID_CHECK_FILE_AND_DIR))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
filename '%s'", fn);
+ RETURN_FALSE;
+ }
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.spec
============================================================================
$ cvs diff -u -r1.308.2.4 -r1.308.2.5 apache.spec
--- openpkg-src/apache/apache.spec 20 Nov 2005 13:42:24 -0000
1.308.2.4
+++ openpkg-src/apache/apache.spec 3 Dec 2005 17:49:08 -0000
1.308.2.5
@@ -65,7 +65,7 @@
Group: Web
License: ASF
Version: %{V_apache}
-Release: 2.5.3
+Release: 2.5.4
# package options (suexec related)
%option with_suexec yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
