From owner-freebsd-ports-bugs@FreeBSD.ORG  Fri Feb  3 08:30:12 2012
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C04FC106564A
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Fri,  3 Feb 2012 08:30:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 81BA18FC0C
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Fri,  3 Feb 2012 08:30:12 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q138UCTK012418
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Fri, 3 Feb 2012 08:30:12 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q138UCOC012417;
	Fri, 3 Feb 2012 08:30:12 GMT (envelope-from gnats)
Resent-Date: Fri, 3 Feb 2012 08:30:12 GMT
Resent-Message-Id: <201202030830.q138UCOC012417@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andrei Lavreniyuk <andy.lavr@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F0AEF106566B
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri,  3 Feb 2012 08:21:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id DF4CF8FC08
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri,  3 Feb 2012 08:21:51 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q138Lp4v081085
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 3 Feb 2012 08:21:51 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q138LpiA081084;
	Fri, 3 Feb 2012 08:21:51 GMT (envelope-from nobody)
Message-Id: <201202030821.q138LpiA081084@red.freebsd.org>
Date: Fri, 3 Feb 2012 08:21:51 GMT
From: Andrei Lavreniyuk <andy.lavr@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: ports/164730: [SECURITY] Critical PHP Remote Vulnerability (PHP
	5.3.9) lang/php5
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 08:30:12 -0000


>Number:         164730
>Category:       ports
>Synopsis:       [SECURITY] Critical PHP Remote Vulnerability (PHP 5.3.9) lang/php5
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 03 08:30:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Andrei Lavreniyuk
>Release:        FreeBSD 9.0-STABLE
>Organization:
Technica-03, Inc.
>Environment:
FreeBSD datacenter.technica-03.local 9.0-STABLE FreeBSD 9.0-STABLE #0: Thu Feb  2 11:11:50 EET 2012     root@datacenter.technica-03.local:/usr/obj/usr/src/sys/SMP64  amd64
>Description:


   http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- main/php_variables.c.orig	2012-01-01 15:15:04.000000000 +0200
+++ main/php_variables.c	2012-02-03 09:39:44.692970733 +0200
@@ -198,6 +198,9 @@
 						MAKE_STD_ZVAL(gpc_element);
 						array_init(gpc_element);
 						zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+						} else {
+						efree(var_orig);
+						return;
 					}
 				}
 				if (index != escaped_index) {


>Release-Note:
>Audit-Trail:
>Unformatted: