Date: Fri, 07 Jan 2011 17:07:49 +0000 From: "Tom Judge" <tom@tomjudge.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ale@FreeBSD.org Subject: ports/153766: [patch] PHP Floating Point CVE Bumper patch Message-ID: <20110107170320.D022A48C5A@tomjudge.vm.bytemark.co.uk> Resent-Message-ID: <201101071710.p07HA3NB045556@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153766 >Category: ports >Synopsis: [patch] PHP Floating Point CVE Bumper patch >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jan 07 17:10:03 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Tom Judge >Release: FreeBSD 8.1-STABLE amd64 >Organization: >Environment: System: FreeBSD tinderbox.home.tomjudge.com 8.1-STABLE FreeBSD 8.1-STABLE #0 r213720: Tue Oct 12 14:02:02 UTC 2010 tj@tinderbox.home.tomjudge.com:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The attached patch contains: * Version bump of lang/php52 to 5.2.17 * Version bump of lang/php5 to 5.3.5 * VuXML entry for the CVE. Tinderbox logs: http://tinderbox.tomjudge.com/tb/logs/8.1-Devel-amd64/php5-5.3.5.log http://tinderbox.tomjudge.com/tb/logs/8.1-Devel-amd64/php52-5.2.17.log >How-To-Repeat: >Fix: --- php-fp.txt begins here --- Index: lang/php5/Makefile =================================================================== RCS file: /home/ncvs/ports/lang/php5/Makefile,v retrieving revision 1.156 diff -u -r1.156 Makefile --- lang/php5/Makefile 31 Dec 2010 10:15:54 -0000 1.156 +++ lang/php5/Makefile 7 Jan 2011 16:29:11 -0000 @@ -6,7 +6,7 @@ # PORTNAME= php5 -PORTVERSION= 5.3.4 +PORTVERSION= 5.3.5 PORTREVISION?= 0 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} @@ -59,7 +59,7 @@ PATCH_DIST_STRIP= -p1 .if !defined(WITHOUT_SUHOSIN) -PATCHFILES+= suhosin-patch-${PORTVERSION}-0.9.10.patch.gz:suhosin +PATCHFILES+= suhosin-patch-5.3.4-0.9.10.patch.gz:suhosin PATCH_SITES+= http://download.suhosin.org/:suhosin PLIST_SUB+= SUHOSIN="" .else Index: lang/php5/distinfo =================================================================== RCS file: /home/ncvs/ports/lang/php5/distinfo,v retrieving revision 1.51 diff -u -r1.51 distinfo --- lang/php5/distinfo 31 Dec 2010 10:15:54 -0000 1.51 +++ lang/php5/distinfo 7 Jan 2011 16:29:16 -0000 @@ -1,6 +1,4 @@ -SHA256 (php-5.3.4.tar.bz2) = a832831185b1652d1adf7ff92864b2a65153853ee5999dafcd6c1ee657f4218d -SIZE (php-5.3.4.tar.bz2) = 10804376 +SHA256 (php-5.3.5.tar.bz2) = a25ddae6a59d7345bcbb69ef2517784f56c2069af663ae4611e580cbdec77e22 +SIZE (php-5.3.5.tar.bz2) = 10806092 SHA256 (suhosin-patch-5.3.4-0.9.10.patch.gz) = 6c920803f6a9f43881c7d8a938716cb572c2f43181fe5cd71f7bfb486825fddf SIZE (suhosin-patch-5.3.4-0.9.10.patch.gz) = 41092 -SHA256 (php-5.3.4-mail-header.patch) = b360a9719151d43a34e46ac8e0c7631fef7f24647d22b186ddc89bf050beaa02 -SIZE (php-5.3.4-mail-header.patch) = 3350 Index: lang/php52/Makefile =================================================================== RCS file: /home/ncvs/ports/lang/php52/Makefile,v retrieving revision 1.16 diff -u -r1.16 Makefile --- lang/php52/Makefile 31 Dec 2010 12:56:36 -0000 1.16 +++ lang/php52/Makefile 7 Jan 2011 16:24:11 -0000 @@ -6,7 +6,7 @@ # PORTNAME= php52 -PORTVERSION= 5.2.16 +PORTVERSION= 5.2.17 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} MASTER_SITE_SUBDIR= distributions @@ -88,7 +88,7 @@ .endif .if !defined(WITHOUT_SUHOSIN) -PATCHFILES+= suhosin-patch-${PORTVERSION}-0.9.7.patch.gz:suhosin +PATCHFILES+= suhosin-patch-5.2.16-0.9.7.patch.gz:suhosin PATCH_SITES+= http://download.suhosin.org/:suhosin PLIST_SUB+= SUHOSIN="" .else Index: lang/php52/distinfo =================================================================== RCS file: /home/ncvs/ports/lang/php52/distinfo,v retrieving revision 1.7 diff -u -r1.7 distinfo --- lang/php52/distinfo 31 Dec 2010 12:56:36 -0000 1.7 +++ lang/php52/distinfo 7 Jan 2011 16:24:27 -0000 @@ -1,8 +1,4 @@ -SHA256 (php-5.2.16.tar.bz2) = 790c4aeb77064a17e3c985fac0fbd7ac3635bc53c7ce7c80bd7c39239e338603 -SIZE (php-5.2.16.tar.bz2) = 9090930 -SHA256 (php-5.2.14-fpm-0.5.14-freebsd.patch.gz) = 354ce451417d14ef47761ae55147e9cee30fa0ff6f59447da021194c539f4d7f -SIZE (php-5.2.14-fpm-0.5.14-freebsd.patch.gz) = 43550 +SHA256 (php-5.2.17.tar.bz2) = e81beb13ec242ab700e56f366e9da52fd6cf18961d155b23304ca870e53f116c +SIZE (php-5.2.17.tar.bz2) = 9092312 SHA256 (suhosin-patch-5.2.16-0.9.7.patch.gz) = aae115a318d80b3f32cedf876e7a8e4b932febb1b0c743c0b398003ebe122f91 SIZE (suhosin-patch-5.2.16-0.9.7.patch.gz) = 23069 -SHA256 (php-5.2.10-mail-header.patch) = a61d50540f4aae32390118453845c380fe935b6d1e46cef6819c8561946e942f -SIZE (php-5.2.10-mail-header.patch) = 3383 Index: security/vuxml/vuln.xml =================================================================== RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.2270 diff -u -r1.2270 vuln.xml --- security/vuxml/vuln.xml 1 Jan 2011 14:31:38 -0000 1.2270 +++ security/vuxml/vuln.xml 7 Jan 2011 17:02:07 -0000 @@ -34,6 +34,47 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2b6ed5c7-1a7f-11e0-b61d-000c29d1636d"> + <topic>php -- multiple vulnerabilities</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.3.5</lt></range> + </package> + <package> + <name>php52</name> + <range><lt>5.2.17</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PHP developers reports:</p> + <blockquote cite="http://www.php.net/releases/5_3_5.php"> + <p>Security Enhancements and Fixes in PHP 5.3.5:</p> + <ul> + <li>Fixed bug #53632 (PHP hangs on numeric value + 2.2250738585072011e-308). (CVE-2010-4645)</li> + </ul> + </blockquote> + <blockquote cite="http://www.php.net/releases/5_2_17.php"> + <p>Security Enhancements and Fixes in PHP 5.2.17:</p> + <ul> + <li>Fixed bug #53632 (PHP hangs on numeric value + 2.2250738585072011e-308). (CVE-2010-4645)</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2010-4645</cvename> + </references> + <dates> + <discovery>2011-01-06</discovery> + <entry>2011-01-07</entry> + <modified>2011-01-07</modified> + </dates> + </vuln> + <vuln vid="06a12e26-142e-11e0-bea2-0015f2db7bde"> <topic>webkit-gtk2 -- Multiple vulnabilities</topic> <affects> --- php-fp.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110107170320.D022A48C5A>