ports/101864: [PATCH] lang/php4 4.4.3 security problem
dawnshade
h-k at mail.ru
Sat Aug 12 07:10:09 UTC 2006
>Number: 101864
>Category: ports
>Synopsis: [PATCH] lang/php4 4.4.3 security problem
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Aug 12 07:10:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: dawnshade
>Release: 6.1-RELEASE
>Organization:
-
>Environment:
FreeBSD mail.host.ru 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jul 2 10:34:26 MSD 2006 root at mail.host.ru:/usr/src/sys/i386/compile/mail_kern_8 i386
>Description:
lang/php 4.4.3 have security problem, which fixed only in CVS.
Advisory: http://secunia.com/advisories/21403/
Original bug: http://bugs.php.net/bug.php?id=38322
Patch from vendor: http://tony2001.phpclub.net/dev/tmp/bug38322.diff
>How-To-Repeat:
-
>Fix:
Apply following patch:
mail# diff -ruN php4 php4.old
diff -ruN php4/Makefile php4.old/Makefile
--- php4/Makefile Sat Aug 12 10:54:14 2006
+++ php4.old/Makefile Tue Aug 8 16:56:10 2006
@@ -7,7 +7,7 @@
PORTNAME= php4
PORTVERSION= 4.4.3
-PORTREVISION?= 1
+PORTREVISION?= 0
CATEGORIES?= lang devel www
MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \
http://downloads.php.net/ilia/:rc \
diff -ruN php4/patch-scanf.c php4.old/patch-scanf.c
--- php4/patch-scanf.c Fri Aug 4 13:27:18 2006
+++ php4.old/patch-scanf.c Thu Jan 1 03:00:00 1970
@@ -1,73 +0,0 @@
-Index: ext/standard/scanf.c
-===================================================================
-RCS file: /repository/php-src/ext/standard/scanf.c,v
-retrieving revision 1.31.2.2
-diff -u -p -d -r1.31.2.2 scanf.c
---- ext/standard/scanf.c 1 Jan 2006 12:50:15 -0000 1.31.2.2
-+++ ext/standard/scanf.c 4 Aug 2006 09:26:55 -0000
-@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal( char *st
- switch (*ch) {
- case 'n':
- if (!(flags & SCAN_SUPPRESS)) {
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- zend_uint refcount;
-
- current = args[objIndex++];
-@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal( char *st
- }
- }
- if (!(flags & SCAN_SUPPRESS)) {
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- zend_uint refcount;
-
- current = args[objIndex++];
-@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal( char *st
- goto done;
- }
- if (!(flags & SCAN_SUPPRESS)) {
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- current = args[objIndex++];
- zval_dtor( *current );
- ZVAL_STRINGL( *current, string, end-string, 1);
-@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal( char *st
- value = (int) (*fn)(buf, NULL, base);
- if ((flags & SCAN_UNSIGNED) && (value < 0)) {
- sprintf(buf, "%u", value); /* INTL: ISO digit */
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- /* change passed value type to string */
- current = args[objIndex++];
- convert_to_string( *current );
-@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal( char *st
- add_index_string(*return_value, objIndex++, buf, 1);
- }
- } else {
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- current = args[objIndex++];
- convert_to_long( *current );
- Z_LVAL(**current) = value;
-@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal( char *st
- double dvalue;
- *end = '\0';
- dvalue = zend_strtod(buf, NULL);
-- if (numVars) {
-+ if (numVars && objIndex >= argCount) {
-+ break;
-+ } else if (numVars) {
- current = args[objIndex++];
- convert_to_double( *current );
- Z_DVAL_PP( current ) = dvalue;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list