ports/160805: [update] lang/php52 CVE vulnerabilities fixes

Sun Sep 18 15:10:12 UTC 2011

>Number:         160805
>Category:       ports
>Synopsis:       [update] lang/php52 CVE vulnerabilities fixes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 18 15:10:06 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Svyatoslav Lempert
>Release:        8.2-STABLE amd64
>Organization:
>Environment:
>Description:
PHP 5.2.17 developers do not fix critical issues in PHP 5.2.x because PHP 5.2.x is EOL

As far as I know lang/php52 port will be deleted soon due to insecurity. I propose a solution that will fix it

CentALT maintainer made backports from PHP 5.3.x to PHP 5.2 (http://centos.alt.ru/?p=571) for fix some issues and vulnerabilities.

I get CVE patches from http://centos.alt.ru/?p=566 php-5.2.17-7.el5.src.rpm and add to port as option for install and fix this problems

CVE-2011-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."

CVE-2011-1938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

CVE-2011-1148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148
Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

CVE-2011-0708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0708
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.

CVE-2011-1092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1092
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function.

CVE-2011-0421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a locateName or statName operation.


I planed to take patches from newer versions of PHP from centos.alt.ru and add them to the port of PHP 5.2.17 while in the port there is any the need

Operability the port has been tested in the assembly and basic applications on FreeBSD 8.2 amd64. If backports cause any problem they can be easily disabled.
>How-To-Repeat:

>Fix:
Apply patch to lang/php52. With these patches port is completely secure and remove from it mark as it vulnerable (http://www.freshports.org/lang/php52/ vulnerable mark)

Port summary:
- security fixes for CVE-2011-2202, CVE-2011-1938, CVE-2011-1148, CVE-2011-0708, CVE-2011-1092, CVE-2011-0421 vulnerabilities
- option BACKPORTS in port config for enable port patches (enabled by default)
- bump PORTREVISION

Patch attached with submission follows:

diff -ruN php52.orig/Makefile php52/Makefile

--- php52.orig/Makefile	2011-09-17 16:37:28.000000000 +0100
+++ php52/Makefile	2011-09-17 18:38:02.000000000 +0100
@@ -7,7 +7,7 @@
 
 PORTNAME=	php52
 PORTVERSION=	5.2.17
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES?=	lang devel www
 MASTER_SITES=	${MASTER_SITE_PHP}
 MASTER_SITE_SUBDIR=	distributions
@@ -48,7 +48,8 @@
 		FASTCGI "Enable fastcgi support (CGI only)" on \
 		FPM "Enable fastcgi process manager (CGI only)" off \
 		PATHINFO "Enable path-info-check support (CGI only)" on \
-		LINKTHR "Link thread lib (for threaded extensions)" off
+		LINKTHR "Link thread lib (for threaded extensions)" off \
+		BACKPORTS "Enable backported security and bugfix patches" on
 
 CONFLICTS=	php4-4* php5-5.3*
 
@@ -188,6 +189,16 @@
 CONFIGURE_ARGS+=--disable-ipv6
 .endif
 
+.if defined(WITH_BACKPORTS)
+PATCHFILES+=	php-5.2.17-CVE-2011-0421.patch \
+		php-5.2.17-CVE-2011-0708.patch \
+		php-5.2.17-CVE-2011-1092.patch \
+		php-5.2.17-CVE-2011-1148.patch \
+		php-5.2.17-CVE-2011-1938.patch \
+		php-5.2.17-CVE-2011-2202.patch
+PATCH_SITES+=	http://php52-backports.googlecode.com/files/
+.endif
+
 post-patch:
 	@${TOUCH} ${WRKSRC}/ext/php_config.h
 	@${REINPLACE_CMD} "s|^\(extension_dir\)|; \1|" ${WRKSRC}/php.ini-*
diff -ruN php52.orig/distinfo php52/distinfo
--- php52.orig/distinfo	2011-09-17 16:37:28.000000000 +0100
+++ php52/distinfo	2011-09-17 17:42:47.000000000 +0100
@@ -6,3 +6,15 @@
 SIZE (suhosin-patch-5.2.16-0.9.7.patch.gz) = 23069
 SHA256 (php-5.2.10-mail-header.patch) = a61d50540f4aae32390118453845c380fe935b6d1e46cef6819c8561946e942f
 SIZE (php-5.2.10-mail-header.patch) = 3383
+SHA256 (php-5.2.17-CVE-2011-0421.patch) = e31086a77a5c4ec1cb4e302d3c7107eadbfebc26cf9e1ca5a018407616a95e7a
+SIZE (php-5.2.17-CVE-2011-0421.patch) = 383
+SHA256 (php-5.2.17-CVE-2011-0708.patch) = e07d9cac035da6a53216600b17a6d0b4d524ccae1c48288dfdfb9ca965a0f70a
+SIZE (php-5.2.17-CVE-2011-0708.patch) = 1724
+SHA256 (php-5.2.17-CVE-2011-1092.patch) = 4e57151848f006258d9566605929d9121b754c8b5957c24d481d1d6390ecc518
+SIZE (php-5.2.17-CVE-2011-1092.patch) = 380
+SHA256 (php-5.2.17-CVE-2011-1148.patch) = ca9f77ad7d0350d6155b5aa7f2947b4ea3f20df436a2687f578bfde3f890b43d
+SIZE (php-5.2.17-CVE-2011-1148.patch) = 5115
+SHA256 (php-5.2.17-CVE-2011-1938.patch) = f6f6e8b0f6ec430c598eed17b5bb2bb4223591406920d578a1c5711c214988e4
+SIZE (php-5.2.17-CVE-2011-1938.patch) = 641
+SHA256 (php-5.2.17-CVE-2011-2202.patch) = b131428a79548c9164721a03fe33003f7b7631e26d50084308e140ed5dd9d995
+SIZE (php-5.2.17-CVE-2011-2202.patch) = 845


>Release-Note:
>Audit-Trail:
>Unformatted:

