[CVS] OpenPKG: openpkg-src/gcc41/ gcc41.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:10:27 Branch: HEAD Handle: 2005120319102600 Modified files: openpkg-src/gcc41 gcc41.spec Log: upgrading package: gcc41 4.1s20051125 -> 4.1s20051202 Summary: RevisionChanges Path 1.38+2 -2 openpkg-src/gcc41/gcc41.spec patch -p0 <<'@@ .' Index: openpkg-src/gcc41/gcc41.spec $ cvs diff -u -r1.37 -r1.38 gcc41.spec --- openpkg-src/gcc41/gcc41.spec 26 Nov 2005 08:40:03 - 1.37 +++ openpkg-src/gcc41/gcc41.spec 3 Dec 2005 19:10:26 - 1.38 @@ -25,7 +25,7 @@ # package version %define V_full 4.1 %define V_comp 41 -%define V_snap 20051125 +%define V_snap 20051202 # package information Name: gcc41 @@ -38,7 +38,7 @@ Group:Compiler License: GPL Version: %{V_full}s%{V_snap} -Release: 20051126 +Release: 20051203 # package options %option with_cxx yes @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/perl-www/ perl-www.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:08:33 Branch: HEAD Handle: 2005120319083200 Modified files: openpkg-src/perl-wwwperl-www.spec Log: modifying package: perl-www-5.8.7 20051116 -> 20051203 Summary: RevisionChanges Path 1.248 +2 -2 openpkg-src/perl-www/perl-www.spec patch -p0 <<'@@ .' Index: openpkg-src/perl-www/perl-www.spec $ cvs diff -u -r1.247 -r1.248 perl-www.spec --- openpkg-src/perl-www/perl-www.spec16 Nov 2005 20:02:54 - 1.247 +++ openpkg-src/perl-www/perl-www.spec3 Dec 2005 19:08:32 - 1.248 @@ -54,7 +54,7 @@ %define V_cgi_builder_session 1.26 %define V_cgi_builder_htmltmpl 1.21 %define V_cgi_builder_tt2 0.03 -%define V_cgi_ajax 0.654 +%define V_cgi_ajax 0.662 %define V_fcgi 0.67 %define V_rpc_xml 0.58 %define V_soap_lite 0.60a @@ -91,7 +91,7 @@ Group:Language License: GPL/Artistic Version: %{V_perl} -Release: 20051116 +Release: 20051203 # list of sources Source0: http://www.cpan.org/modules/by-module/URI/URI-%{V_uri}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/perl-util/ perl-util.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:07:57 Branch: HEAD Handle: 2005120319075600 Modified files: openpkg-src/perl-util perl-util.spec Log: modifying package: perl-util-5.8.7 20051201 -> 20051203 Summary: RevisionChanges Path 1.227 +2 -2 openpkg-src/perl-util/perl-util.spec patch -p0 <<'@@ .' Index: openpkg-src/perl-util/perl-util.spec $ cvs diff -u -r1.226 -r1.227 perl-util.spec --- openpkg-src/perl-util/perl-util.spec 1 Dec 2005 07:52:27 - 1.226 +++ openpkg-src/perl-util/perl-util.spec 3 Dec 2005 19:07:56 - 1.227 @@ -76,7 +76,7 @@ %define V_regexp_keep 0.02 %define V_regexp_parser0.20 %define V_regexp_shellish 0.93 -%define V_regexp_assemble 0.21 +%define V_regexp_assemble 0.22 %define V_contize 0.3 %define V_memoize 1.01 %define V_path_class 0.14 @@ -98,7 +98,7 @@ Group:Language License: GPL/Artistic Version: %{V_perl} -Release: 20051201 +Release: 20051203 # list of sources Source0: http://www.cpan.org/modules/by-module/Test/Test-%{V_test}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/perl-locale/ perl-locale.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:07:14 Branch: HEAD Handle: 2005120319071400 Modified files: openpkg-src/perl-locale perl-locale.spec Log: modifying package: perl-locale-5.8.7 20051201 -> 20051203 Summary: RevisionChanges Path 1.55+2 -2 openpkg-src/perl-locale/perl-locale.spec patch -p0 <<'@@ .' Index: openpkg-src/perl-locale/perl-locale.spec $ cvs diff -u -r1.54 -r1.55 perl-locale.spec --- openpkg-src/perl-locale/perl-locale.spec 1 Dec 2005 07:44:34 - 1.54 +++ openpkg-src/perl-locale/perl-locale.spec 3 Dec 2005 19:07:14 - 1.55 @@ -33,7 +33,7 @@ %define V_locale_po0.16 %define V_locale_maketext 1.10 %define V_locale_maketext_fuzzy0.02 -%define V_locale_maketext_lexicon 0.50 +%define V_locale_maketext_lexicon 0.51 %define V_locale_maketext_simple 0.12 %define V_locale_codes 2.07 %define V_locale_subcountry1.36 @@ -50,7 +50,7 @@ Group:Language License: GPL/Artistic Version: %{V_perl} -Release: 20051201 +Release: 20051203 # list of sources Source0: http://www.cpan.org/modules/by-module/I18N/I18N-LangTags-%{V_i18n_langtags}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/xpdf/ xpdf.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:07:06 Branch: HEAD Handle: 2005120319070500 Modified files: openpkg-src/xpdfxpdf.spec Log: upgrading package: xpdf 3.01pl0 -> 3.01pl1 Summary: RevisionChanges Path 1.18+4 -2 openpkg-src/xpdf/xpdf.spec patch -p0 <<'@@ .' Index: openpkg-src/xpdf/xpdf.spec $ cvs diff -u -r1.17 -r1.18 xpdf.spec --- openpkg-src/xpdf/xpdf.spec18 Aug 2005 07:05:29 - 1.17 +++ openpkg-src/xpdf/xpdf.spec3 Dec 2005 19:07:05 - 1.18 @@ -24,7 +24,7 @@ # package version %define V_base 3.01 -%define V_patchlevel 0 +%define V_patchlevel 1 # package information Name: xpdf @@ -37,10 +37,11 @@ Group:Graphics License: GPL Version: %{V_base}pl%{V_patchlevel} -Release: 20050818 +Release: 20051203 # list of sources Source0: ftp://ftp.foolabs.com/pub/xpdf/xpdf-%{V_base}.tar.gz +Patch0: ftp://ftp.foolabs.com/pub/xpdf/xpdf-%{V_base}pl1.patch # build information Prefix: %{l_prefix} @@ -70,6 +71,7 @@ %prep %setup -q -n xpdf-%{V_base} +%patch -p1 %build CC="%{l_cc}" \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/vim/ vim.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:07:04 Branch: HEAD Handle: 2005120319070300 Modified files: openpkg-src/vim vim.spec Log: upgrading package: vim 6.4.3 -> 6.4.4 Summary: RevisionChanges Path 1.398 +3 -2 openpkg-src/vim/vim.spec patch -p0 <<'@@ .' Index: openpkg-src/vim/vim.spec $ cvs diff -u -r1.397 -r1.398 vim.spec --- openpkg-src/vim/vim.spec 1 Dec 2005 07:27:56 - 1.397 +++ openpkg-src/vim/vim.spec 3 Dec 2005 19:07:03 - 1.398 @@ -25,7 +25,7 @@ # package versions %define V_vl 6.4 %define V_vs 64 -%define V_pl 3 +%define V_pl 4 # package information Name: vim @@ -38,7 +38,7 @@ Group:Editor License: Charityware Version: %{V_vl}.%{V_pl} -Release: 20051201 +Release: 20051203 # package options %option with_x11no @@ -59,6 +59,7 @@ Patch1: ftp://ftp.vim.org/pub/vim/patches/%{V_vl}/%{V_vl}.001 Patch2: ftp://ftp.vim.org/pub/vim/patches/%{V_vl}/%{V_vl}.002 Patch3: ftp://ftp.vim.org/pub/vim/patches/%{V_vl}/%{V_vl}.003 +Patch4: ftp://ftp.vim.org/pub/vim/patches/%{V_vl}/%{V_vl}.004 # build information Prefix: %{l_prefix} @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/whois/ whois.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:06:53 Branch: HEAD Handle: 2005120319065200 Modified files: openpkg-src/whois whois.spec Log: upgrading package: whois 4.7.9 -> 4.7.10 Summary: RevisionChanges Path 1.72+2 -2 openpkg-src/whois/whois.spec patch -p0 <<'@@ .' Index: openpkg-src/whois/whois.spec $ cvs diff -u -r1.71 -r1.72 whois.spec --- openpkg-src/whois/whois.spec 29 Nov 2005 15:40:03 - 1.71 +++ openpkg-src/whois/whois.spec 3 Dec 2005 19:06:52 - 1.72 @@ -32,8 +32,8 @@ Class:BASE Group:DNS License: GPL -Version: 4.7.9 -Release: 20051129 +Version: 4.7.10 +Release: 20051203 # list of sources Source0: http://ftp.debian.org/debian/pool/main/w/whois/whois_%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/perl-dbi/ perl-dbi.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 20:00:50 Branch: HEAD Handle: 2005120319004900 Modified files: openpkg-src/perl-dbiperl-dbi.spec Log: modifying package: perl-dbi-5.8.7 20051201 -> 20051203 Summary: RevisionChanges Path 1.182 +2 -2 openpkg-src/perl-dbi/perl-dbi.spec patch -p0 <<'@@ .' Index: openpkg-src/perl-dbi/perl-dbi.spec $ cvs diff -u -r1.181 -r1.182 perl-dbi.spec --- openpkg-src/perl-dbi/perl-dbi.spec1 Dec 2005 07:43:35 - 1.181 +++ openpkg-src/perl-dbi/perl-dbi.spec3 Dec 2005 19:00:49 - 1.182 @@ -34,7 +34,7 @@ %define V_dbd_anydata 0.08 %define V_dbd_csv 0.22 %define V_dbd_sprite 0.56 -%define V_dbd_sqlite 1.09 +%define V_dbd_sqlite 1.11 %define V_dbd_mysql 3.0002 %define V_dbd_pgsql 1.43 %define V_dbd_oracle 1.16 @@ -52,7 +52,7 @@ Group:Language License: GPL/Artistic Version: %{V_perl} -Release: 20051201 +Release: 20051203 # package options %option with_dbd_sqlite no @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/j2se/ j2se.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:57:40 Branch: HEAD Handle: 2005120318574000 Modified files: openpkg-src/j2sej2se.spec Log: upgrading package: j2se 1.5.0.05 -> 1.5.0.06 Summary: RevisionChanges Path 1.62+4 -4 openpkg-src/j2se/j2se.spec patch -p0 <<'@@ .' Index: openpkg-src/j2se/j2se.spec $ cvs diff -u -r1.61 -r1.62 j2se.spec --- openpkg-src/j2se/j2se.spec16 Sep 2005 19:17:48 - 1.61 +++ openpkg-src/j2se/j2se.spec3 Dec 2005 18:57:40 - 1.62 @@ -23,9 +23,9 @@ ## # package versions -%define V_openpkg 1.5.0.05 -%define V_sunjava 1_5_0_05 -%define V_filesys 1.5.0_05 +%define V_openpkg 1.5.0.06 +%define V_sunjava 1_5_0_06 +%define V_filesys 1.5.0_06 %define V_sunsupp 1_5_0 %define V_basever 1.5.0 @@ -40,7 +40,7 @@ Group:Language License: Commercial Version: %{V_openpkg} -Release: 20050916 +Release: 20051203 # package options %option with_demo no @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/lftp/ lftp.patch lftp.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:50:35 Branch: HEAD Handle: 2005120318503500 Modified files: openpkg-src/lftplftp.patch lftp.spec Log: upgrading package: lftp 3.3.4 -> 3.3.5 Summary: RevisionChanges Path 1.6 +5 -5 openpkg-src/lftp/lftp.patch 1.88+2 -2 openpkg-src/lftp/lftp.spec patch -p0 <<'@@ .' Index: openpkg-src/lftp/lftp.patch $ cvs diff -u -r1.5 -r1.6 lftp.patch --- openpkg-src/lftp/lftp.patch 13 Jun 2005 12:47:12 - 1.5 +++ openpkg-src/lftp/lftp.patch 3 Dec 2005 18:50:35 - 1.6 @@ -1,6 +1,6 @@ Index: src/lftp_tinfo.cc src/lftp_tinfo.cc.orig 2002-12-18 09:52:20 +0100 -+++ src/lftp_tinfo.cc2005-06-13 12:05:39 +0200 +--- src/lftp_tinfo.cc.orig 2005-12-02 07:25:05 +0100 src/lftp_tinfo.cc2005-12-03 19:39:27 +0100 @@ -23,20 +23,20 @@ #include @@ -14,7 +14,7 @@ -# endif -#elif defined(HAVE_NCURSES_CURSES_H) +#if defined(HAVE_NCURSES_CURSES_H) - #include + # include # if defined(HAVE_NCURSES_TERM_H) # include # elif defined(HAVE_TERM_H) @@ -27,6 +27,6 @@ +# elif defined(HAVE_NCURSES_TERM_H) +# include +# endif + #elif defined(HAVE_TERMCAP_H) + # include #endif - } - @@ . patch -p0 <<'@@ .' Index: openpkg-src/lftp/lftp.spec $ cvs diff -u -r1.87 -r1.88 lftp.spec --- openpkg-src/lftp/lftp.spec18 Nov 2005 06:38:11 - 1.87 +++ openpkg-src/lftp/lftp.spec3 Dec 2005 18:50:35 - 1.88 @@ -32,8 +32,8 @@ Class:BASE Group:FTP License: GPL -Version: 3.3.4 -Release: 20051118 +Version: 3.3.5 +Release: 20051203 # list of sources Source0: http://ftp.yars.free.net/pub/source/lftp/lftp-%{version}.tar.bz2 @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/dhtml/ dhtml.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:38:17 Branch: HEAD Handle: 2005120318381600 Modified files: openpkg-src/dhtml dhtml.spec Log: upgrading package: dhtml 20051201 -> 20051203 Summary: RevisionChanges Path 1.7 +3 -3 openpkg-src/dhtml/dhtml.spec patch -p0 <<'@@ .' Index: openpkg-src/dhtml/dhtml.spec $ cvs diff -u -r1.6 -r1.7 dhtml.spec --- openpkg-src/dhtml/dhtml.spec 1 Dec 2005 20:28:05 - 1.6 +++ openpkg-src/dhtml/dhtml.spec 3 Dec 2005 18:38:16 - 1.7 @@ -29,7 +29,7 @@ %define V_mktree20051017 %define V_dol 20050215 %define V_ie7 0_9 -%define V_tinymce 2_0RC4 +%define V_tinymce 2_0_1 %define V_os3grid 0.6 %define V_toolman 0.2 %define V_behaviour 1.1 @@ -44,8 +44,8 @@ Class:EVAL Group:Web License: Open Source -Version: 20051201 -Release: 20051201 +Version: 20051203 +Release: 20051203 # list of sources Source0: http://prototype.conio.net/dist/prototype-%{V_prototype}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/bittorrent/ bittorrent.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:37:05 Branch: HEAD Handle: 2005120318370400 Modified files: openpkg-src/bittorrent bittorrent.spec Log: upgrading package: bittorrent 4.2.0 -> 4.3.0 Summary: RevisionChanges Path 1.20+2 -2 openpkg-src/bittorrent/bittorrent.spec patch -p0 <<'@@ .' Index: openpkg-src/bittorrent/bittorrent.spec $ cvs diff -u -r1.19 -r1.20 bittorrent.spec --- openpkg-src/bittorrent/bittorrent.spec22 Nov 2005 08:15:34 - 1.19 +++ openpkg-src/bittorrent/bittorrent.spec3 Dec 2005 18:37:04 - 1.20 @@ -32,8 +32,8 @@ Class:PLUS Group:Network License: MIT-style -Version: 4.2.0 -Release: 20051122 +Version: 4.3.0 +Release: 20051203 # list of sources Source0: http://www.bittorrent.com/dl/BitTorrent-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/libidn/ libidn.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:35:21 Branch: HEAD Handle: 2005120318352100 Modified files: openpkg-src/libidn libidn.spec Log: upgrading package: libidn 0.5.20 -> 0.6.0 Summary: RevisionChanges Path 1.24+2 -2 openpkg-src/libidn/libidn.spec patch -p0 <<'@@ .' Index: openpkg-src/libidn/libidn.spec $ cvs diff -u -r1.23 -r1.24 libidn.spec --- openpkg-src/libidn/libidn.spec24 Oct 2005 13:01:57 - 1.23 +++ openpkg-src/libidn/libidn.spec3 Dec 2005 18:35:21 - 1.24 @@ -32,8 +32,8 @@ Class:BASE Group:DNS License: LGPL -Version: 0.5.20 -Release: 20051024 +Version: 0.6.0 +Release: 20051203 # list of sources Source0: http://josefsson.org/libidn/releases/libidn-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 19:22:15 Branch: HEAD Handle: 2005120318221500 Modified files: openpkg-web security.txt security.wml Log: link PHP SA into website Summary: RevisionChanges Path 1.117 +2 -0 openpkg-web/security.txt 1.146 +2 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.116 -r1.117 security.txt --- openpkg-web/security.txt 3 Dec 2005 13:24:39 - 1.116 +++ openpkg-web/security.txt 3 Dec 2005 18:22:15 - 1.117 @@ -1,3 +1,5 @@ +03-Dec-2005: Security Advisory: S +03-Dec-2005: Security Advisory: S 03-Dec-2005: Security Advisory: S 03-Dec-2005: Security Advisory: S 02-Nov-2005: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.145 -r1.146 security.wml --- openpkg-web/security.wml 3 Dec 2005 13:24:39 - 1.145 +++ openpkg-web/security.wml 3 Dec 2005 18:22:15 - 1.146 @@ -90,6 +90,8 @@ + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.027-php.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 19:21:40 Branch: HEAD Handle: 2005120318213900 Added files: openpkg-web/securityOpenPKG-SA-2005.027-php.txt Log: release OpenPKG Security Advisory 2005.027 (php) Summary: RevisionChanges Path 1.1 +90 -0 openpkg-web/security/OpenPKG-SA-2005.027-php.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.027-php.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.027-php.txt --- /dev/null 2005-12-03 19:21:35 +0100 +++ OpenPKG-SA-2005.027-php.txt 2005-12-03 19:21:39 +0100 @@ -0,0 +1,90 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.027 03-Dec-2005 + + +Package: php +Vulnerability: multiple ones +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.4.0-20051004 >= php-4.4.1-20051031 +OpenPKG 2.5 <= php-4.4.0-2.5.1 >= php-4.4.0-2.5.2 + <= apache-1.3.33-2.5.3 >= apache-1.3.33-2.5.4 +OpenPKG 2.4 <= php-4.3.11-2.4.1 >= php-4.3.11-2.4.2 + <= apache-1.3.33-2.4.3 >= apache-1.3.33-2.4.4 +OpenPKG 2.3 <= php-4.3.10-2.3.3 >= php-4.3.10-2.3.4 + <= apache-1.3.33-2.3.5 >= apache-1.3.33-2.3.6 + +Description: + Multiple vulnerabilities were recently found in the PHP [1] web + scripting language: + + 1. The "exif_read_data" function in the EXIF module in PHP before + 4.4.1 allows remote attackers to cause a Denial of Service (DoS) + through an infinite recursion via a malformed JPEG image. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CVE-2005-3353 [2] to the problem. + + 2. A Cross-Site Scripting (XSS) vulnerability in the "phpinfo" + function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote + attackers to inject arbitrary web script or HTML via a crafted URL + with a "stacked array assignment". The Common Vulnerabilities and + Exposures (CVE) project assigned the id CVE-2005-3388 [3] to the + problem. + + 3. The "parse_str" function in PHP 4.x up to 4.4.0 and 5.x up to + 5.0.5, when called with only one parameter, allows remote attackers + to enable the "register_globals" directive via inputs that cause a + request to be terminated due to the "memory_limit" setting, which + causes PHP to set an internal flag that enables "register_globals" and + allows attackers to exploit vulnerabilities in PHP applications that + would otherwise be protected. The Common Vulnerabilities and Exposures + (CVE) project assigned the id CVE-2005-3389 [4] to the problem. + + 4. The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up + to 5.0.5, when "register_globals" is enabled, allows remote attackers + to modify the "GLOBALS" array and bypass security protections of PHP + applications via a "multipart/form-data" POST request with a "GLOBALS" + "fileupload" field. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CVE-2005-3390 [5] to the problem. + + 5. Multiple vulnerabilities in PHP before 4.4.1 allow remote + attackers to bypass "safe_mode" and "open_basedir" restrictions + via unknown attack vectors in the "curl" and "gd" extensions. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CVE-2005-3391 [6] to the problem. + + 6. The additionally discovered issue CVE-2005-3392 doesn't affect PHP + under the OpenPKG platforms. + + +References: + [1] http://www.php.net/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 + [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 + [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 + [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 + [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391 +___
[CVS] OpenPKG: OPENPKG_2_3_SOLID: openpkg-src/apache/ apache.patch.php...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 19:16:15 Branch: OPENPKG_2_3_SOLIDHandle: 2005120318161400 Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/apache apache.patch.php apache.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.4.2.1 +228 -0 openpkg-src/apache/apache.patch.php 1.285.2.7 +1 -1 openpkg-src/apache/apache.spec patch -p0 <<'@@ .' Index: openpkg-src/apache/apache.patch.php $ cvs diff -u -r1.4 -r1.4.2.1 apache.patch.php --- openpkg-src/apache/apache.patch.php 6 Feb 2005 13:50:04 - 1.4 +++ openpkg-src/apache/apache.patch.php 3 Dec 2005 18:16:14 - 1.4.2.1 @@ -81,3 +81,231 @@ #define u_int32_t uint32_t #endif +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +-int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +-old_rg = PG(register_globals); + if (argCount == 1) { +-PG(register_globals) = 1; +-sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++zval tmp; ++Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +-PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +-PG(
[CVS] OpenPKG: OPENPKG_2_4_SOLID: openpkg-src/apache/ apache.patch.php...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 18:52:22 Branch: OPENPKG_2_4_SOLIDHandle: 2005120317522100 Modified files: (Branch: OPENPKG_2_4_SOLID) openpkg-src/apache apache.patch.php apache.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.5.2.1 +266 -0 openpkg-src/apache/apache.patch.php 1.297.2.5 +1 -1 openpkg-src/apache/apache.spec patch -p0 <<'@@ .' Index: openpkg-src/apache/apache.patch.php $ cvs diff -u -r1.5 -r1.5.2.1 apache.patch.php --- openpkg-src/apache/apache.patch.php 1 Apr 2005 06:20:27 - 1.5 +++ openpkg-src/apache/apache.patch.php 3 Dec 2005 17:52:21 - 1.5.2.1 @@ -60,3 +60,269 @@ } else { PDF_open_mem(pdf, pdf_flushwrite); } + +- + +Security Fix (CAN-2005-3054) + +Index: main/fopen_wrappers.c +--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100 main/fopen_wrappers.c2005-10-04 21:52:15 +0200 +@@ -120,8 +120,8 @@ + /* Handler for basedirs that end with a / */ + resolved_basedir_len = strlen(resolved_basedir); + if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) { +-if (resolved_basedir[resolved_basedir_len - 1] == '/') { +-resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR; ++if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) { ++resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR; + resolved_basedir[++resolved_basedir_len] = '\0'; + } + } + +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@
[CVS] OpenPKG: OPENPKG_2_5_SOLID: openpkg-src/apache/ apache.patch.php...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 18:49:08 Branch: OPENPKG_2_5_SOLIDHandle: 2005120317490701 Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/apache apache.patch.php apache.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.5.4.1 +266 -0 openpkg-src/apache/apache.patch.php 1.308.2.5 +1 -1 openpkg-src/apache/apache.spec patch -p0 <<'@@ .' Index: openpkg-src/apache/apache.patch.php $ cvs diff -u -r1.5 -r1.5.4.1 apache.patch.php --- openpkg-src/apache/apache.patch.php 1 Apr 2005 06:20:27 - 1.5 +++ openpkg-src/apache/apache.patch.php 3 Dec 2005 17:49:07 - 1.5.4.1 @@ -60,3 +60,269 @@ } else { PDF_open_mem(pdf, pdf_flushwrite); } + +- + +Security Fix (CAN-2005-3054) + +Index: main/fopen_wrappers.c +--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100 main/fopen_wrappers.c2005-10-04 21:52:15 +0200 +@@ -120,8 +120,8 @@ + /* Handler for basedirs that end with a / */ + resolved_basedir_len = strlen(resolved_basedir); + if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) { +-if (resolved_basedir[resolved_basedir_len - 1] == '/') { +-resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR; ++if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) { ++resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR; + resolved_basedir[++resolved_basedir_len] = '\0'; + } + } + +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@
[CVS] OpenPKG: OPENPKG_2_3_SOLID: openpkg-src/php/ php.patch php.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 18:16:50 Branch: OPENPKG_2_3_SOLIDHandle: 2005120317165000 Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/php php.patch php.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.9.2.2 +229 -0 openpkg-src/php/php.patch 1.103.2.5 +1 -1 openpkg-src/php/php.spec patch -p0 <<'@@ .' Index: openpkg-src/php/php.patch $ cvs diff -u -r1.9.2.1 -r1.9.2.2 php.patch --- openpkg-src/php/php.patch 4 Oct 2005 20:00:38 - 1.9.2.1 +++ openpkg-src/php/php.patch 3 Dec 2005 17:16:50 - 1.9.2.2 @@ -128,3 +128,232 @@ resolved_basedir[++resolved_basedir_len] = '\0'; } } + +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +-int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +-old_rg = PG(register_globals); + if (argCount == 1) { +-PG(register_globals) = 1; +-sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++zval tmp; ++Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +-PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); +
[CVS] OpenPKG: OPENPKG_2_4_SOLID: openpkg-src/php/ php.patch php.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 18:09:54 Branch: OPENPKG_2_4_SOLIDHandle: 2005120317095300 Modified files: (Branch: OPENPKG_2_4_SOLID) openpkg-src/php php.patch php.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.10.2.2+247 -0 openpkg-src/php/php.patch 1.109.2.3 +1 -1 openpkg-src/php/php.spec patch -p0 <<'@@ .' Index: openpkg-src/php/php.patch $ cvs diff -u -r1.10.2.1 -r1.10.2.2 php.patch --- openpkg-src/php/php.patch 4 Oct 2005 19:57:35 - 1.10.2.1 +++ openpkg-src/php/php.patch 3 Dec 2005 17:09:53 - 1.10.2.2 @@ -108,3 +108,250 @@ resolved_basedir[++resolved_basedir_len] = '\0'; } } + +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +-int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +-old_rg = PG(register_globals); + if (argCount == 1) { +-PG(register_globals) = 1; +-sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++zval tmp; ++Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +-PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
[CVS] OpenPKG: OPENPKG_2_5_SOLID: openpkg-src/php/ php.patch php.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 18:04:18 Branch: OPENPKG_2_5_SOLIDHandle: 2005120317041601 Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/php php.patch php.spec Log: Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391) Summary: RevisionChanges Path 1.11.2.1+247 -0 openpkg-src/php/php.patch 1.112.2.3 +1 -1 openpkg-src/php/php.spec patch -p0 <<'@@ .' Index: openpkg-src/php/php.patch $ cvs diff -u -r1.11 -r1.11.2.1 php.patch --- openpkg-src/php/php.patch 4 Oct 2005 19:54:54 - 1.11 +++ openpkg-src/php/php.patch 3 Dec 2005 17:04:16 - 1.11.2.1 @@ -108,3 +108,250 @@ resolved_basedir[++resolved_basedir_len] = '\0'; } } + +- + +Security Fix (CVE-2005-3353) + +Index: ext/exif/exif.c +--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100 ext/exif/exif.c 2005-12-03 17:41:40 +0100 +@@ -3014,6 +3014,12 @@ + } + } + /* ++ * Ignore IFD2 if it purportedly exists ++ */ ++if (section_index == SECTION_THUMBNAIL) { ++return TRUE; ++} ++/* + * Hack to make it process IDF1 I hope + * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail + */ + +- + +Security Fix (CVE-2005-3388) + +Index: ext/standard/info.c +--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200 ext/standard/info.c 2005-12-03 17:42:11 +0100 +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++zval *tmp3; ++MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } ++php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++php_ob_get_buffer(tmp3 TSRMLS_CC); ++php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++PUTS(elem_esc); ++efree(elem_esc); ++zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS(""); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +-return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + + +- + +Security Fix (CVE-2005-3389) + +Index: ext/standard/string.c +--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200 ext/standard/string.c2005-12-03 17:43:25 +0100 +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +-int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +-old_rg = PG(register_globals); + if (argCount == 1) { +-PG(register_globals) = 1; +-sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++zval tmp; ++Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +-PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + }
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.026-lynx.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 15:22:58 Branch: HEAD Handle: 2005120314225800 Added files: openpkg-web/securityOpenPKG-SA-2005.026-lynx.txt Log: release OpenPKG Security Advisory 2005.026 (lynx) Summary: RevisionChanges Path 1.1 +61 -0 openpkg-web/security/OpenPKG-SA-2005.026-lynx.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.026-lynx.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.026-lynx.txt --- /dev/null 2005-12-03 15:22:53 +0100 +++ OpenPKG-SA-2005.026-lynx.txt 2005-12-03 15:22:58 +0100 @@ -0,0 +1,61 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.026 03-Dec-2005 + + +Package: lynx +Vulnerability: command injection +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= lynx-2.8.5-20051030 >= lynx-2.8.5.5-20051203 +OpenPKG 2.5 <= lynx-2.8.5-2.5.0 >= lynx-2.8.5-2.5.1 +OpenPKG 2.4 <= lynx-2.8.5-2.4.0 >= lynx-2.8.5-2.4.1 +OpenPKG 2.3 <= lynx-2.8.5-2.3.0 >= lynx-2.8.5-2.3.1 + +Description: + According to a iDEFENSE security advisory [0], a command injection + vulnerability exists in the Lynx [2] WWW textual client. The + vulnerability could allow attackers to execute arbitrary commands + with the privileges of the underlying user. The problem specifically + exists within the feature to execute local "cgi-bin" programs via the + "lynxcgi:" URI handler. The Common Vulnerabilities and Exposures (CVE) + project assigned the id CVE-2005-2929 [3] to the problem. + + Additionally, according to a security advisory from Ulf Harnhammar + [1], a stack-based buffer overflow in the "HTrjis" function in Lynx + allows remote NNTP servers to execute arbitrary code via certain + article headers containing Asian characters that cause Lynx to + add extra escape (ESC) characters. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CVE-2005-3120 [4] to the + problem. + + +References: + [0] http://www.idefense.com/application/poi/display?id=338 + [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html + [2] http://lynx.isc.org/ + [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929 + [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 + + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. + + +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFDkaokgHWT4GPEy58RAnurAJ9k6+9V7BtgDG6PmJ4FXgV8+urLYQCgueUG +XQSysqWKUgxnq/NW+k/BQ3A= +=x+XU +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_3_SOLID: openpkg-src/lynx/ lynx.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 15:12:48 Branch: OPENPKG_2_3_SOLIDHandle: 2005120314124700 Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/lynxlynx.spec Log: Security Fixes (CVE-2005-2929 CAN-2005-3120) Summary: RevisionChanges Path 1.32.2.2+6 -1 openpkg-src/lynx/lynx.spec patch -p0 <<'@@ .' Index: openpkg-src/lynx/lynx.spec $ cvs diff -u -r1.32.2.1 -r1.32.2.2 lynx.spec --- openpkg-src/lynx/lynx.spec21 Feb 2005 17:07:31 - 1.32.2.1 +++ openpkg-src/lynx/lynx.spec3 Dec 2005 14:12:47 - 1.32.2.2 @@ -38,11 +38,15 @@ Group:Web License: BSD Version: %{V_real} -Release: 2.3.0 +Release: 2.3.1 # list of sources Source0: http://lynx.isc.org/release/lynx%{V_real}.tar.bz2 Patch0: lynx.patch +Patch1: http://lynx.isc.org/release/patches/%{V_real}rel.2.patch.gz +Patch2: http://lynx.isc.org/release/patches/%{V_real}rel.3.patch.gz +Patch3: http://lynx.isc.org/release/patches/%{V_real}rel.4.patch.gz +Patch4: http://lynx.isc.org/release/patches/%{V_real}rel.5.patch.gz # build information Prefix: %{l_prefix} @@ -67,6 +71,7 @@ %prep %setup -q -n lynx%{V_file} %patch -p0 +%patch -p1 -P 1 2 3 4 %build CC="%{l_cc}" \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_4_SOLID: openpkg-src/lynx/ lynx.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 15:11:42 Branch: OPENPKG_2_4_SOLIDHandle: 2005120314114100 Modified files: (Branch: OPENPKG_2_4_SOLID) openpkg-src/lynxlynx.spec Log: Security Fixes (CVE-2005-2929 CAN-2005-3120) Summary: RevisionChanges Path 1.34.2.2+6 -1 openpkg-src/lynx/lynx.spec patch -p0 <<'@@ .' Index: openpkg-src/lynx/lynx.spec $ cvs diff -u -r1.34.2.1 -r1.34.2.2 lynx.spec --- openpkg-src/lynx/lynx.spec15 Jun 2005 19:00:27 - 1.34.2.1 +++ openpkg-src/lynx/lynx.spec3 Dec 2005 14:11:41 - 1.34.2.2 @@ -37,11 +37,15 @@ Group:Web License: BSD Version: %{V_real} -Release: 2.4.0 +Release: 2.4.1 # list of sources Source0: http://lynx.isc.org/release/lynx%{V_real}.tar.bz2 Patch0: lynx.patch +Patch1: http://lynx.isc.org/release/patches/%{V_real}rel.2.patch.gz +Patch2: http://lynx.isc.org/release/patches/%{V_real}rel.3.patch.gz +Patch3: http://lynx.isc.org/release/patches/%{V_real}rel.4.patch.gz +Patch4: http://lynx.isc.org/release/patches/%{V_real}rel.5.patch.gz # build information Prefix: %{l_prefix} @@ -66,6 +70,7 @@ %prep %setup -q -n lynx%{V_file} %patch -p0 +%patch -p1 -P 1 2 3 4 %build CC="%{l_cc}" \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_5_SOLID: openpkg-src/lynx/ lynx.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 15:10:34 Branch: OPENPKG_2_5_SOLIDHandle: 2005120314103300 Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/lynxlynx.spec Log: Security Fixes (CVE-2005-2929 CAN-2005-3120) Summary: RevisionChanges Path 1.34.4.2+6 -1 openpkg-src/lynx/lynx.spec patch -p0 <<'@@ .' Index: openpkg-src/lynx/lynx.spec $ cvs diff -u -r1.34.4.1 -r1.34.4.2 lynx.spec --- openpkg-src/lynx/lynx.spec11 Oct 2005 12:50:44 - 1.34.4.1 +++ openpkg-src/lynx/lynx.spec3 Dec 2005 14:10:33 - 1.34.4.2 @@ -37,11 +37,15 @@ Group:Web License: BSD Version: %{V_real} -Release: 2.5.0 +Release: 2.5.1 # list of sources Source0: http://lynx.isc.org/release/lynx%{V_real}.tar.bz2 Patch0: lynx.patch +Patch1: http://lynx.isc.org/release/patches/%{V_real}rel.2.patch.gz +Patch2: http://lynx.isc.org/release/patches/%{V_real}rel.3.patch.gz +Patch3: http://lynx.isc.org/release/patches/%{V_real}rel.4.patch.gz +Patch4: http://lynx.isc.org/release/patches/%{V_real}rel.5.patch.gz # build information Prefix: %{l_prefix} @@ -66,6 +70,7 @@ %prep %setup -q -n lynx%{V_file} %patch -p0 +%patch -p1 -P 1 2 3 4 %build CC="%{l_cc}" \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/lynx/ lynx.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 15:08:33 Branch: HEAD Handle: 2005120314083200 Modified files: openpkg-src/lynxlynx.spec Log: Security Fixes (CVE-2005-2929 CAN-2005-3120) Summary: RevisionChanges Path 1.36+13 -2 openpkg-src/lynx/lynx.spec patch -p0 <<'@@ .' Index: openpkg-src/lynx/lynx.spec $ cvs diff -u -r1.35 -r1.36 lynx.spec --- openpkg-src/lynx/lynx.spec30 Oct 2005 09:01:23 - 1.35 +++ openpkg-src/lynx/lynx.spec3 Dec 2005 14:08:32 - 1.36 @@ -25,6 +25,7 @@ # package version %define V_file 2-8-5 %define V_real 2.8.5 +%define V_pl 5 # package information Name: lynx @@ -36,12 +37,16 @@ Class:BASE Group:Web License: BSD -Version: %{V_real} -Release: 20051030 +Version: %{V_real}.%{V_pl} +Release: 20051203 # list of sources Source0: http://lynx.isc.org/release/lynx%{V_real}.tar.bz2 Patch0: lynx.patch +Patch1: http://lynx.isc.org/release/patches/%{V_real}rel.2.patch.gz +Patch2: http://lynx.isc.org/release/patches/%{V_real}rel.3.patch.gz +Patch3: http://lynx.isc.org/release/patches/%{V_real}rel.4.patch.gz +Patch4: http://lynx.isc.org/release/patches/%{V_real}rel.5.patch.gz # build information Prefix: %{l_prefix} @@ -62,10 +67,16 @@ url = http://lynx.isc.org/release/ regex = lynx(__VER__)\.tar\.bz2 } +prog lynx:patch = { +version = %{V_pl} +url = http://lynx.isc.org/release/patches/ +regex = __VER__rel\.(\d+)\.patch\.gz +} %prep %setup -q -n lynx%{V_file} %patch -p0 +%patch -p1 -P 1 2 3 4 %build CC="%{l_cc}" \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/ security.txt security.wml
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 14:24:40 Branch: HEAD Handle: 2005120313243900 Modified files: openpkg-web security.txt security.wml Log: add Perl SA to website Summary: RevisionChanges Path 1.116 +2 -1 openpkg-web/security.txt 1.145 +1 -0 openpkg-web/security.wml patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.115 -r1.116 security.txt --- openpkg-web/security.txt 3 Dec 2005 12:38:22 - 1.115 +++ openpkg-web/security.txt 3 Dec 2005 13:24:39 - 1.116 @@ -1,4 +1,5 @@ -03-Dec-2005: Security Advisory: S +03-Dec-2005: Security Advisory: S +03-Dec-2005: Security Advisory: S 02-Nov-2005: Security Advisory: S 17-Oct-2005: Security Advisory: S 10-Sep-2005: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.144 -r1.145 security.wml --- openpkg-web/security.wml 3 Dec 2005 12:38:22 - 1.144 +++ openpkg-web/security.wml 3 Dec 2005 13:24:39 - 1.145 @@ -90,6 +90,7 @@ + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.025-perl.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 14:24:09 Branch: HEAD Handle: 2005120313240900 Added files: openpkg-web/securityOpenPKG-SA-2005.025-perl.txt Log: release OpenPKG Security Advisory 2005.025 (perl) Summary: RevisionChanges Path 1.1 +51 -0 openpkg-web/security/OpenPKG-SA-2005.025-perl.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.025-perl.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.025-perl.txt --- /dev/null 2005-12-03 14:24:07 +0100 +++ OpenPKG-SA-2005.025-perl.txt 2005-12-03 14:24:09 +0100 @@ -0,0 +1,51 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.025 03-Dec-2005 + + +Package: perl +Vulnerability: integer overflow, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= perl-5.8.7-20050921 >= perl-5.8.7-20051203 +OpenPKG 2.5 <= perl-5.8.7-2.5.0 >= perl-5.8.7-2.5.1 +OpenPKG 2.4 <= perl-5.8.7-2.4.0 >= perl-5.8.7-2.4.1 +OpenPKG 2.3 <= perl-5.8.6-2.3.0 >= perl-5.8.6-2.3.1 + +Description: + According to a security advisory from Dyad Security [0], an integer + overflow bug exists in the Perl [1] programming language. The integer + overflow is in the format string functionality (Perl_sv_vcatpvfn) of + Perl and allows attackers to overwrite arbitrary memory and possibly + execute arbitrary code via format string specifiers with large values. + The Common Vulnerabilities and Exposures (CVE) project assigned the id + CVE-2005-3962 [2] to the problem. + + +References: + [0] http://www.dyadsecurity.com/perl-0002.html + [1] http://www.perl.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962 + + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. + + +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFDkZxrgHWT4GPEy58RAikXAKCUQaaaYqxG3+QTRQtNVL5YLXvaMgCdGZqn +MTL3qjtRNoCw7vT6iRUDRs8= +=jRTP +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_3_SOLID: openpkg-src/perl/ perl.patch perl.sp...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 14:10:26 Branch: OPENPKG_2_3_SOLIDHandle: 2005120313102501 Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/perlperl.patch perl.spec Log: Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) Summary: RevisionChanges Path 1.15.2.1+20 -0 openpkg-src/perl/perl.patch 1.99.2.2+1 -1 openpkg-src/perl/perl.spec patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.patch $ cvs diff -u -r1.15 -r1.15.2.1 perl.patch --- openpkg-src/perl/perl.patch 5 Feb 2005 14:12:27 - 1.15 +++ openpkg-src/perl/perl.patch 3 Dec 2005 13:10:25 - 1.15.2.1 @@ -365,3 +365,23 @@ vsprintf(buffer+len, fmt, ap); PerlLIO_write(dbg, buffer, strlen(buffer)); +- + +Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) + +Index: sv.c +--- sv.c.orig2005-05-27 12:38:11 +0200 sv.c 2005-12-03 13:49:26 +0100 +@@ -8519,7 +8519,10 @@ + if (EXPECT_NUMBER(q, width)) { + if (*q == '$') { + ++q; +-efix = width; ++if (width > PERL_INT_MAX) ++efix = PERL_INT_MAX; ++else ++efix = width; + } else { + goto gotwidth; + } + @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.spec $ cvs diff -u -r1.99.2.1 -r1.99.2.2 perl.spec --- openpkg-src/perl/perl.spec21 Feb 2005 17:07:58 - 1.99.2.1 +++ openpkg-src/perl/perl.spec3 Dec 2005 13:10:26 - 1.99.2.2 @@ -34,7 +34,7 @@ Group:Language License: GPL/Artistic Version: 5.8.6 -Release: 2.3.0 +Release: 2.3.1 # list of sources Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_4_SOLID: openpkg-src/perl/ perl.patch perl.sp...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 14:05:24 Branch: OPENPKG_2_4_SOLIDHandle: 2005120313052300 Modified files: (Branch: OPENPKG_2_4_SOLID) openpkg-src/perlperl.patch perl.spec Log: Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) Summary: RevisionChanges Path 1.16.2.1+21 -0 openpkg-src/perl/perl.patch 1.102.2.2 +1 -1 openpkg-src/perl/perl.spec patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.patch $ cvs diff -u -r1.16 -r1.16.2.1 perl.patch --- openpkg-src/perl/perl.patch 3 Jun 2005 07:03:35 - 1.16 +++ openpkg-src/perl/perl.patch 3 Dec 2005 13:05:23 - 1.16.2.1 @@ -265,3 +265,24 @@ # object oriented my $sh = Shell->new; + +- + +Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) + +Index: sv.c +--- sv.c.orig2005-05-27 12:38:11 +0200 sv.c 2005-12-03 13:49:26 +0100 +@@ -8519,7 +8519,10 @@ + if (EXPECT_NUMBER(q, width)) { + if (*q == '$') { + ++q; +-efix = width; ++if (width > PERL_INT_MAX) ++efix = PERL_INT_MAX; ++else ++efix = width; + } else { + goto gotwidth; + } + @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.spec $ cvs diff -u -r1.102.2.1 -r1.102.2.2 perl.spec --- openpkg-src/perl/perl.spec15 Jun 2005 19:02:13 - 1.102.2.1 +++ openpkg-src/perl/perl.spec3 Dec 2005 13:05:23 - 1.102.2.2 @@ -33,7 +33,7 @@ Group:Language License: GPL/Artistic Version: 5.8.7 -Release: 2.4.0 +Release: 2.4.1 # list of sources Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_5_SOLID: openpkg-src/perl/ perl.patch perl.sp...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 14:03:26 Branch: OPENPKG_2_5_SOLIDHandle: 2005120313032500 Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/perlperl.patch perl.spec Log: Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) Summary: RevisionChanges Path 1.17.2.1+21 -0 openpkg-src/perl/perl.patch 1.104.2.2 +1 -1 openpkg-src/perl/perl.spec patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.patch $ cvs diff -u -r1.17 -r1.17.2.1 perl.patch --- openpkg-src/perl/perl.patch 21 Sep 2005 15:20:42 - 1.17 +++ openpkg-src/perl/perl.patch 3 Dec 2005 13:03:25 - 1.17.2.1 @@ -305,3 +305,24 @@ # # Using gcc. # + +- + +Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) + +Index: sv.c +--- sv.c.orig2005-05-27 12:38:11 +0200 sv.c 2005-12-03 13:49:26 +0100 +@@ -8519,7 +8519,10 @@ + if (EXPECT_NUMBER(q, width)) { + if (*q == '$') { + ++q; +-efix = width; ++if (width > PERL_INT_MAX) ++efix = PERL_INT_MAX; ++else ++efix = width; + } else { + goto gotwidth; + } + @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.spec $ cvs diff -u -r1.104.2.1 -r1.104.2.2 perl.spec --- openpkg-src/perl/perl.spec11 Oct 2005 12:51:13 - 1.104.2.1 +++ openpkg-src/perl/perl.spec3 Dec 2005 13:03:25 - 1.104.2.2 @@ -33,7 +33,7 @@ Group:Language License: GPL/Artistic Version: 5.8.7 -Release: 2.5.0 +Release: 2.5.1 # list of sources Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/perl/ perl.patch perl.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 14:01:57 Branch: HEAD Handle: 2005120313015600 Modified files: openpkg-src/perlperl.patch perl.spec Log: Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) Summary: RevisionChanges Path 1.18+21 -0 openpkg-src/perl/perl.patch 1.105 +1 -1 openpkg-src/perl/perl.spec patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.patch $ cvs diff -u -r1.17 -r1.18 perl.patch --- openpkg-src/perl/perl.patch 21 Sep 2005 15:20:42 - 1.17 +++ openpkg-src/perl/perl.patch 3 Dec 2005 13:01:56 - 1.18 @@ -305,3 +305,24 @@ # # Using gcc. # + +- + +Security Fix (CVE-2005-3962, OpenPKG-SA-2005.025-perl) + +Index: sv.c +--- sv.c.orig2005-05-27 12:38:11 +0200 sv.c 2005-12-03 13:49:26 +0100 +@@ -8519,7 +8519,10 @@ + if (EXPECT_NUMBER(q, width)) { + if (*q == '$') { + ++q; +-efix = width; ++if (width > PERL_INT_MAX) ++efix = PERL_INT_MAX; ++else ++efix = width; + } else { + goto gotwidth; + } + @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.spec $ cvs diff -u -r1.104 -r1.105 perl.spec --- openpkg-src/perl/perl.spec21 Sep 2005 15:20:42 - 1.104 +++ openpkg-src/perl/perl.spec3 Dec 2005 13:01:56 - 1.105 @@ -33,7 +33,7 @@ Group:Language License: GPL/Artistic Version: 5.8.7 -Release: 20050921 +Release: 20051203 # list of sources Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.024-mysql.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 13:39:10 Branch: HEAD Handle: 2005120312391000 Modified files: openpkg-web/securityOpenPKG-SA-2005.024-mysql.txt Log: release OpenPKG Security Advisory 2005.024 (mysql) Summary: RevisionChanges Path 1.2 +10 -0 openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.024-mysql.txt --- openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt3 Dec 2005 12:38:22 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt3 Dec 2005 12:39:10 - 1.2 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -38,3 +41,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFDkZHYgHWT4GPEy58RAqseAKDSQf/+kOxsxm1qsLLm+ltjQx4xUQCfWpnw +f3BRG7NLaRSz9W6POAZjC5o= +=UotL +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 13:38:22 Branch: HEAD Handle: 2005120312382200 Added files: openpkg-web/securityOpenPKG-SA-2005.024-mysql.txt Modified files: openpkg-web security.txt security.wml Log: add MySQL SA into website Summary: RevisionChanges Path 1.115 +2 -0 openpkg-web/security.txt 1.144 +2 -0 openpkg-web/security.wml 1.1 +40 -0 openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt patch -p0 <<'@@ .' Index: openpkg-web/security.txt $ cvs diff -u -r1.114 -r1.115 security.txt --- openpkg-web/security.txt 17 Oct 2005 16:11:22 - 1.114 +++ openpkg-web/security.txt 3 Dec 2005 12:38:22 - 1.115 @@ -1,3 +1,5 @@ +03-Dec-2005: Security Advisory: S +02-Nov-2005: Security Advisory: S 17-Oct-2005: Security Advisory: S 10-Sep-2005: Security Advisory: S 06-Sep-2005: Security Advisory: S @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml $ cvs diff -u -r1.143 -r1.144 security.wml --- openpkg-web/security.wml 19 Oct 2005 09:20:04 - 1.143 +++ openpkg-web/security.wml 3 Dec 2005 12:38:22 - 1.144 @@ -90,6 +90,8 @@ + + @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.024-mysql.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.024-mysql.txt --- /dev/null 2005-12-03 13:38:13 +0100 +++ OpenPKG-SA-2005.024-mysql.txt 2005-12-03 13:38:22 +0100 @@ -0,0 +1,40 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.024 03-Dec-2005 + + +Package: mysql +Vulnerability: buffer overflow, arbitrary code execution +OpenPKG Specific:no + +Affected Releases: Affected Packages:Corrected Packages: +OpenPKG CURRENT <= mysql-4.1.12-20050617 >= mysql-4.1.13-20050721 +OpenPKG 2.5 N.A. N.A. +OpenPKG 2.4 <= mysql-4.1.12-2.4.0 >= mysql-4.1.12-2.4.1 + +Description: + According to a security advisory from Reid Borsuk of Application + Security Inc [0], a stack-based buffer overflow exists in the MySQL + RDBMS [1]. The buffer overflow allows remote authenticated users + who can create user-defined database functions to execute arbitrary + code via a long "function_name" field. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CVE-2005-2558 [2] to the + problem. + + +References: + [0] http://www.appsecinc.com/resources/alerts/mysql/2005-002.html + [1] http://www.mysql.com/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2558 + + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. + + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-0000.000-template.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 13:35:41 Branch: HEAD Handle: 2005120312354100 Modified files: openpkg-web/securityOpenPKG-SA-.000-template.txt Log: allow us to still fix some packages for 2.3, too Summary: RevisionChanges Path 1.29+2 -0 openpkg-web/security/OpenPKG-SA-.000-template.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-.000-template.txt $ cvs diff -u -r1.28 -r1.29 OpenPKG-SA-.000-template.txt --- openpkg-web/security/OpenPKG-SA-.000-template.txt 3 Dec 2005 11:50:03 - 1.28 +++ openpkg-web/security/OpenPKG-SA-.000-template.txt 3 Dec 2005 12:35:41 - 1.29 @@ -17,11 +17,13 @@ OpenPKG CURRENT <= foo-1.2.4-20050123 >= foo-1.2.4-20059124 OpenPKG 2.5 <= foo-1.2.3-2.5.0 >= foo-1.2.3-2.5.1 OpenPKG 2.4 <= foo-1.2.2-2.4.0 >= foo-1.2.2-2.4.1 +OpenPKG 2.3 <= foo-1.2.1-2.3.0 >= foo-1.2.1-2.3.1 Affected Releases: Dependent Packages: OpenPKG CURRENT bar quux OpenPKG 2.5 bar quux OpenPKG 2.4 bar +OpenPKG 2.3 bar Description: According to a ... security advisory based on hints from ... @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_4_SOLID: openpkg-src/mysql/ mysql.patch mysql...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 03-Dec-2005 13:33:44 Branch: OPENPKG_2_4_SOLIDHandle: 2005120312334400 Modified files: (Branch: OPENPKG_2_4_SOLID) openpkg-src/mysql mysql.patch mysql.spec Log: Security Fix (CVE-2005-2558, OpenPKG-SA-2005.024) Summary: RevisionChanges Path 1.15.4.1+47 -0 openpkg-src/mysql/mysql.patch 1.123.2.2 +1 -1 openpkg-src/mysql/mysql.spec patch -p0 <<'@@ .' Index: openpkg-src/mysql/mysql.patch $ cvs diff -u -r1.15 -r1.15.4.1 mysql.patch --- openpkg-src/mysql/mysql.patch 16 Feb 2005 20:25:18 - 1.15 +++ openpkg-src/mysql/mysql.patch 3 Dec 2005 12:33:44 - 1.15.4.1 @@ -81,3 +81,50 @@ else i_u="$i_u INSERT INTO user VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);" + +- + +Security Fix (CVE-2005-2558, OpenPKG-SA-2005.024) + +Index: libmysqld/sql_udf.cc +--- libmysqld/sql_udf.cc.orig2005-05-13 13:32:15 +0200 libmysqld/sql_udf.cc 2005-12-03 10:46:25 +0100 +@@ -222,7 +222,7 @@ + } + tmp->dlhandle = dl; + { +- char buf[MAX_FIELD_NAME+16], *missing; ++ char buf[NAME_LEN+16], *missing; + if ((missing= init_syms(tmp, buf))) + { + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing); +@@ -439,7 +439,7 @@ + } + udf->dlhandle=dl; + { +-char buf[MAX_FIELD_NAME+16], *missing; ++char buf[NAME_LEN+16], *missing; + if ((missing= init_syms(udf, buf))) + { + net_printf(thd, ER_CANT_FIND_DL_ENTRY, missing); +Index: sql/sql_udf.cc +--- sql/sql_udf.cc.orig 2005-05-13 13:32:15 +0200 sql/sql_udf.cc 2005-12-03 10:46:25 +0100 +@@ -222,7 +222,7 @@ + } + tmp->dlhandle = dl; + { +- char buf[MAX_FIELD_NAME+16], *missing; ++ char buf[NAME_LEN+16], *missing; + if ((missing= init_syms(tmp, buf))) + { + sql_print_error(ER(ER_CANT_FIND_DL_ENTRY), missing); +@@ -439,7 +439,7 @@ + } + udf->dlhandle=dl; + { +-char buf[MAX_FIELD_NAME+16], *missing; ++char buf[NAME_LEN+16], *missing; + if ((missing= init_syms(udf, buf))) + { + net_printf(thd, ER_CANT_FIND_DL_ENTRY, missing); @@ . patch -p0 <<'@@ .' Index: openpkg-src/mysql/mysql.spec $ cvs diff -u -r1.123.2.1 -r1.123.2.2 mysql.spec --- openpkg-src/mysql/mysql.spec 15 Jun 2005 19:00:57 - 1.123.2.1 +++ openpkg-src/mysql/mysql.spec 3 Dec 2005 12:33:44 - 1.123.2.2 @@ -39,7 +39,7 @@ Group:Database License: GPL Version: %{V_opkg} -Release: 2.4.0 +Release: 2.4.1 # package options %option with_serveryes @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ resign.pl
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 03-Dec-2005 13:20:47 Branch: HEAD Handle: 2005120312204600 Added files: openpkg-web/securityresign.pl Log: add a small script for resigning the SAs Summary: RevisionChanges Path 1.1 +32 -0 openpkg-web/security/resign.pl patch -p0 <<'@@ .' Index: openpkg-web/security/resign.pl $ cvs diff -u -r0 -r1.1 resign.pl --- /dev/null 2005-12-03 13:20:28 +0100 +++ resign.pl 2005-12-03 13:20:47 +0100 @@ -0,0 +1,32 @@ +#!/v/openpkg/sw/bin/perl + +die "usage: resign.pl " if (@ARGV != 1); + +my $pw = $ARGV[0]; + +use IO::File; + +my @file = glob("*.txt"); +foreach my $file (@file) { +next if ($file =~ m|\.000|s); +print "$file\n"; + +my $io = new IO::File "<$file" or die; +my $txt; { local $/; $txt = <$io>; }; +$io->close; + +$txt =~ s|^-BEGIN PGP SIGNED MESSAGE-.+?(\n__)|$1|s; +$txt =~ s|-BEGIN PGP SIGNATURE-.+$||s; +$txt =~ s|^\n+||sg; +$txt =~ s|\n+$||sg; +$txt =~ s|$|\n\n|sg; + +$io = new IO::File ">$file" or die; +$io->print($txt); +$io->close; + +system("echo '$pw' | gpg --passphrase-fd 0 --clearsign $file >/dev/null 2>&1"); +system("mv $file.asc $file"); +system("gpg --verify $file >/dev/null 2>&1"); +} + @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org