Date: Sat, 12 Aug 2006 07:01:42 GMT From: dawnshade <h-k@mail.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/101864: [PATCH] lang/php4 4.4.3 security problem Message-ID: <200608120701.k7C71gQ5063541@www.freebsd.org> Resent-Message-ID: <200608120710.k7C7A5cd079261@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 101864 >Category: ports >Synopsis: [PATCH] lang/php4 4.4.3 security problem >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 12 07:10:04 GMT 2006 >Closed-Date: >Last-Modified: >Originator: dawnshade >Release: 6.1-RELEASE >Organization: - >Environment: FreeBSD mail.host.ru 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jul 2 10:34:26 MSD 2006 root@mail.host.ru:/usr/src/sys/i386/compile/mail_kern_8 i386 >Description: lang/php 4.4.3 have security problem, which fixed only in CVS. Advisory: http://secunia.com/advisories/21403/ Original bug: http://bugs.php.net/bug.php?id=38322 Patch from vendor: http://tony2001.phpclub.net/dev/tmp/bug38322.diff >How-To-Repeat: - >Fix: Apply following patch: mail# diff -ruN php4 php4.old diff -ruN php4/Makefile php4.old/Makefile --- php4/Makefile Sat Aug 12 10:54:14 2006 +++ php4.old/Makefile Tue Aug 8 16:56:10 2006 @@ -7,7 +7,7 @@ PORTNAME= php4 PORTVERSION= 4.4.3 -PORTREVISION?= 1 +PORTREVISION?= 0 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \ http://downloads.php.net/ilia/:rc \ diff -ruN php4/patch-scanf.c php4.old/patch-scanf.c --- php4/patch-scanf.c Fri Aug 4 13:27:18 2006 +++ php4.old/patch-scanf.c Thu Jan 1 03:00:00 1970 @@ -1,73 +0,0 @@ -Index: ext/standard/scanf.c -=================================================================== -RCS file: /repository/php-src/ext/standard/scanf.c,v -retrieving revision 1.31.2.2 -diff -u -p -d -r1.31.2.2 scanf.c ---- ext/standard/scanf.c 1 Jan 2006 12:50:15 -0000 1.31.2.2 -+++ ext/standard/scanf.c 4 Aug 2006 09:26:55 -0000 -@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal( char *st - switch (*ch) { - case 'n': - if (!(flags & SCAN_SUPPRESS)) { -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - zend_uint refcount; - - current = args[objIndex++]; -@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal( char *st - } - } - if (!(flags & SCAN_SUPPRESS)) { -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - zend_uint refcount; - - current = args[objIndex++]; -@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal( char *st - goto done; - } - if (!(flags & SCAN_SUPPRESS)) { -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - current = args[objIndex++]; - zval_dtor( *current ); - ZVAL_STRINGL( *current, string, end-string, 1); -@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal( char *st - value = (int) (*fn)(buf, NULL, base); - if ((flags & SCAN_UNSIGNED) && (value < 0)) { - sprintf(buf, "%u", value); /* INTL: ISO digit */ -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - /* change passed value type to string */ - current = args[objIndex++]; - convert_to_string( *current ); -@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal( char *st - add_index_string(*return_value, objIndex++, buf, 1); - } - } else { -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - current = args[objIndex++]; - convert_to_long( *current ); - Z_LVAL(**current) = value; -@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal( char *st - double dvalue; - *end = '\0'; - dvalue = zend_strtod(buf, NULL); -- if (numVars) { -+ if (numVars && objIndex >= argCount) { -+ break; -+ } else if (numVars) { - current = args[objIndex++]; - convert_to_double( *current ); - Z_DVAL_PP( current ) = dvalue; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608120701.k7C71gQ5063541>