OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 03-Dec-2005 19:16:15
Branch: OPENPKG_2_3_SOLID Handle: 2005120318161400
Modified files: (Branch: OPENPKG_2_3_SOLID)
openpkg-src/apache apache.patch.php apache.spec
Log:
Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389,
CVE-2005-3390, CVE-2005-3391)
Summary:
Revision Changes Path
1.4.2.1 +228 -0 openpkg-src/apache/apache.patch.php
1.285.2.7 +1 -1 openpkg-src/apache/apache.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.patch.php
============================================================================
$ cvs diff -u -r1.4 -r1.4.2.1 apache.patch.php
--- openpkg-src/apache/apache.patch.php 6 Feb 2005 13:50:04 -0000
1.4
+++ openpkg-src/apache/apache.patch.php 3 Dec 2005 18:16:14 -0000
1.4.2.1
@@ -81,3 +81,231 @@
#define u_int32_t uint32_t
#endif
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3353)
+
+Index: ext/exif/exif.c
+--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
++++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
+@@ -3014,6 +3014,12 @@
+ }
+ }
+ /*
++ * Ignore IFD2 if it purportedly exists
++ */
++ if (section_index == SECTION_THUMBNAIL) {
++ return TRUE;
++ }
++ /*
+ * Hack to make it process IDF1 I hope
+ * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202)
to the thumbnail
+ */
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3388)
+
+Index: ext/standard/info.c
+--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
++++ ext/standard/info.c 2005-12-03 17:42:11 +0100
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3)
TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0,
ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0,
ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3389)
+
+Index: ext/standard/string.c
+--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
++++ ext/standard/string.c 2005-12-03 17:43:25 +0100
+@@ -3179,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount,
&arg, &arrayArg) == FAILURE) {
+@@ -3192,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+Index: ext/standard/array.c
+--- ext/standard/array.c.orig 2004-12-02 17:36:41 +0100
++++ ext/standard/array.c 2005-12-03 18:12:00 +0100
+@@ -1243,6 +1243,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS"))
{
++ break;
++ }
+ smart_str_appendl(&final_name, var_name,
var_name_len);
+ break;
+
+Index: ext/standard/basic_functions.c
+--- ext/standard/basic_functions.c.orig 2004-11-16 00:26:40 +0100
++++ ext/standard/basic_functions.c 2005-12-03 18:12:00 +0100
+@@ -3002,11 +3002,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric
key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted
GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
++
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey,
hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix,
hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len,
*var, (*var)->refcount+1, 0);
+Index: main/main.c
+--- main/main.c.orig 2004-10-01 16:27:13 +0200
++++ main/main.c 2005-12-03 18:12:01 +0100
+@@ -1339,6 +1339,7 @@
+ ulong num_key;
+ HashPosition pos;
+ int key_type;
++ int globals_check = (PG(register_globals) && (dest ==
(&EG(symbol_table))));
+
+ zend_hash_internal_pointer_reset_ex(src, &pos);
+ while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) ==
SUCCESS) {
+@@ -1349,7 +1350,12 @@
+ || Z_TYPE_PP(dest_entry) != IS_ARRAY) {
+ (*src_entry)->refcount++;
+ if (key_type == HASH_KEY_IS_STRING) {
+- zend_hash_update(dest, string_key,
strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
++ /* if register_globals is on and working with
main symbol table, prevent overwriting of GLOBALS */
++ if (!globals_check || string_key_len !=
sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
++ zend_hash_update(dest, string_key,
string_key_len, src_entry, sizeof(zval *), NULL);
++ } else {
++ (*src_entry)->refcount--;
++ }
+ } else {
+ zend_hash_index_update(dest, num_key,
src_entry, sizeof(zval *), NULL);
+ }
+Index: main/php_variables.c
+--- main/php_variables.c.orig 2004-10-18 17:08:46 +0200
++++ main/php_variables.c 2005-12-03 18:12:00 +0100
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) ||
!strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not
binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
+
+-----------------------------------------------------------------------------
+
+Security Fix (CVE-2005-3391)
+
+Index: ext/gd/gd.c
+--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
++++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
+@@ -1644,7 +1644,7 @@
+ }
+
+ if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+- if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC)) {
++ if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+",
CHECKUID_CHECK_FILE_AND_DIR))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
filename '%s'", fn);
+ RETURN_FALSE;
+ }
+Index: ext/gd/gd_ctx.c
+--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
++++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
+@@ -73,7 +73,7 @@
+ }
+
+ if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
+- if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC)) {
++ if (!fn || fn == empty_string || php_check_open_basedir(fn
TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+",
CHECKUID_CHECK_FILE_AND_DIR))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
filename '%s'", fn);
+ RETURN_FALSE;
+ }
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.spec
============================================================================
$ cvs diff -u -r1.285.2.6 -r1.285.2.7 apache.spec
--- openpkg-src/apache/apache.spec 18 Oct 2005 08:07:04 -0000
1.285.2.6
+++ openpkg-src/apache/apache.spec 3 Dec 2005 18:16:14 -0000
1.285.2.7
@@ -66,7 +66,7 @@
Group: Web
License: ASF
Version: %{V_apache}
-Release: 2.3.5
+Release: 2.3.6
# package options (suexec related)
%option with_suexec yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
