OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 07-Jul-2003 15:49:02
Branch: OPENPKG_1_1_SOLID HEAD Handle: 2003070714490001
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/apache apache.spec php.patch
Log:
SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442
Summary:
Revision Changes Path
1.81.2.7 +1 -1 openpkg-src/apache/apache.spec
1.1.2.2 +85 -0 openpkg-src/apache/php.patch
1.5422 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.spec
============================================================================
$ cvs diff -u -r1.81.2.6 -r1.81.2.7 apache.spec
--- openpkg-src/apache/apache.spec 18 Mar 2003 15:04:22 -0000 1.81.2.6
+++ openpkg-src/apache/apache.spec 7 Jul 2003 13:49:01 -0000 1.81.2.7
@@ -143,7 +143,7 @@
Group: Web
License: ASF
Version: %{V_apache}
-Release: 1.1.4
+Release: 1.1.5
# list of sources
Source0: http://www.apache.org/dist/httpd/apache_%{V_apache}.tar.gz
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/apache/php.patch
============================================================================
$ cvs diff -u -r1.1.2.1 -r1.1.2.2 php.patch
--- openpkg-src/apache/php.patch 22 Jan 2003 12:22:27 -0000 1.1.2.1
+++ openpkg-src/apache/php.patch 7 Jul 2003 13:49:01 -0000 1.1.2.2
@@ -103,3 +103,88 @@
RETURN_STRINGL(newtext, newtextlen, 0);
}
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
+ The mail function in PHP 4.x to 4.2.2 may allow remote attackers to
+ bypass safe mode restrictions and modify command line arguments to
+ the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
+ behavior and possibly executing commands.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
+ The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
+ characters from its arguments, which could allow remote attackers to
+ modify mail message content, including mail headers, and possibly
+ use PHP as a "spam proxy."
+
+diff -u -r1.48 -r1.48.2.3
+--- php-4.2.2/ext/standard/mail.c 28 Feb 2002 08:26:46 -0000 1.48
++++ php-4.2.2/ext/standard/mail.c 24 Aug 2002 11:38:13 -0000 1.48.2.3
+@@ -70,8 +70,12 @@
+ PHP_FUNCTION(mail)
+ {
+ char *to=NULL, *message=NULL, *headers=NULL, *subject=NULL, *extra_cmd=NULL;
+- int to_len,message_len,headers_len,subject_len,extra_cmd_len;
++ int to_len,message_len,headers_len,subject_len,extra_cmd_len,i;
+
++ if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
++ php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect. The
fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C));
++ RETURN_FALSE;
++ }
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",
+ &to, &to_len,
+@@ -83,14 +87,28 @@
+ return;
+ }
+
+- for(to_len--;to_len;to_len--) {
+- if(!isspace(to[to_len]))break;
+- to[to_len]='\0';
++ if (to_len > 0) {
++ for(;to_len;to_len--) {
++ if(!isspace((unsigned char)to[to_len-1]))break;
++ to[to_len-1]='\0';
++ }
++ for(i=0;to[i];i++) {
++ if (iscntrl((unsigned char)to[i])) {
++ to[i]=' ';
++ }
++ }
+ }
+
+- for(subject_len--;subject_len;subject_len--) {
+- if(!isspace(subject[subject_len]))break;
+- subject[subject_len]='\0';
++ if (subject_len > 0) {
++ for(;subject_len;subject_len--) {
++ if(!isspace((unsigned char)subject[subject_len-1]))break;
++ subject[subject_len-1]='\0';
++ }
++ for(i=0;subject[i];i++) {
++ if (iscntrl((unsigned char)subject[i])) {
++ subject[i]=' ';
++ }
++ }
+ }
+
+ if(extra_cmd)
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
+ Cross-site scripting (XSS) vulnerability in the transparent SID
+ support capability for PHP before 4.3.2 (session.use_trans_sid)
+ allows remote attackers to insert arbitrary script via the PHPSESSID
+ parameter.
+
+--- php-4.2.2/ext/session/session.c.orig
++++ php-4.2.2/ext/session/session.c
+@@ -84,7 +84,9 @@
+ static void php_session_output_handler(char *output, uint output_len, char
**handled_output, uint *handled_output_len, int mode TSRMLS_DC)
+ {
+ if ((PS(session_status) == php_session_active)) {
+- *handled_output = url_adapt_ext_ex(output, output_len,
PS(session_name), PS(id), handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END
? 1 : 0) TSRMLS_CC);
++ char *encoded = php_url_encode(PS(id), strlen(PS(id)), NULL);
++ *handled_output = url_adapt_ext_ex(output, output_len,
PS(session_name), encoded, handled_output_len, (zend_bool)
(mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
++ efree(encoded);
+ } else {
+ *handled_output = NULL;
+ }
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.5421 -r1.5422 news.txt
--- openpkg-web/news.txt 7 Jul 2003 13:48:25 -0000 1.5421
+++ openpkg-web/news.txt 7 Jul 2003 13:49:00 -0000 1.5422
@@ -1,3 +1,4 @@
+07-Jul-2003: Upgraded package: P<apache-1.3.26-1.1.5>
07-Jul-2003: Upgraded package: P<php-4.2.2-1.1.2>
07-Jul-2003: Upgraded package: P<txt2man-1.4.8-20030707>
07-Jul-2003: Upgraded package: P<bc-1.06-20030707>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
