From owner-freebsd-ports-bugs@FreeBSD.ORG  Sat Aug 12 07:10:09 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6E20B16A501
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat, 12 Aug 2006 07:10:09 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9519943D4C
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat, 12 Aug 2006 07:10:05 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7C7A5pm079262
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sat, 12 Aug 2006 07:10:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7C7A5cd079261;
	Sat, 12 Aug 2006 07:10:05 GMT (envelope-from gnats)
Resent-Date: Sat, 12 Aug 2006 07:10:05 GMT
Resent-Message-Id: <200608120710.k7C7A5cd079261@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, dawnshade <h-k@mail.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1B10616A4DE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 12 Aug 2006 07:01:43 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C336C43D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 12 Aug 2006 07:01:42 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k7C71ggM063542
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 12 Aug 2006 07:01:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k7C71gQ5063541;
	Sat, 12 Aug 2006 07:01:42 GMT (envelope-from nobody)
Message-Id: <200608120701.k7C71gQ5063541@www.freebsd.org>
Date: Sat, 12 Aug 2006 07:01:42 GMT
From: dawnshade <h-k@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: ports/101864: [PATCH] lang/php4 4.4.3 security problem
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2006 07:10:09 -0000


>Number:         101864
>Category:       ports
>Synopsis:       [PATCH] lang/php4 4.4.3 security problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 12 07:10:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     dawnshade
>Release:        6.1-RELEASE
>Organization:
-
>Environment:
FreeBSD mail.host.ru 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jul  2 10:34:26 MSD 2006     root@mail.host.ru:/usr/src/sys/i386/compile/mail_kern_8  i386
>Description:
lang/php 4.4.3 have security problem, which fixed only in CVS.
Advisory: http://secunia.com/advisories/21403/
Original bug: http://bugs.php.net/bug.php?id=38322
Patch from vendor: http://tony2001.phpclub.net/dev/tmp/bug38322.diff
>How-To-Repeat:
-
>Fix:
Apply following patch:

mail# diff -ruN php4 php4.old 
diff -ruN php4/Makefile php4.old/Makefile
--- php4/Makefile       Sat Aug 12 10:54:14 2006
+++ php4.old/Makefile   Tue Aug  8 16:56:10 2006
@@ -7,7 +7,7 @@
 
 PORTNAME=      php4
 PORTVERSION=   4.4.3
-PORTREVISION?= 1
+PORTREVISION?= 0
 CATEGORIES?=   lang devel www
 MASTER_SITES=  ${MASTER_SITE_PHP:S,$,:release,} \
                http://downloads.php.net/ilia/:rc \
diff -ruN php4/patch-scanf.c php4.old/patch-scanf.c
--- php4/patch-scanf.c  Fri Aug  4 13:27:18 2006
+++ php4.old/patch-scanf.c      Thu Jan  1 03:00:00 1970
@@ -1,73 +0,0 @@
-Index: ext/standard/scanf.c
-===================================================================
-RCS file: /repository/php-src/ext/standard/scanf.c,v
-retrieving revision 1.31.2.2
-diff -u -p -d -r1.31.2.2 scanf.c
---- ext/standard/scanf.c       1 Jan 2006 12:50:15 -0000       1.31.2.2
-+++ ext/standard/scanf.c       4 Aug 2006 09:26:55 -0000
-@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal(    char *st
-               switch (*ch) {
-                       case 'n':
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               zend_uint refcount;
- 
-                                               current = args[objIndex++];
-@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal(    char *st
-                                       }
-                               }
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               zend_uint refcount;
- 
-                                               current = args[objIndex++];
-@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal(    char *st
-                                       goto done;
-                               }
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               current = args[objIndex++];
-                                               zval_dtor( *current );
-                                               ZVAL_STRINGL( *current, string, end-string, 1);
-@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                       value = (int) (*fn)(buf, NULL, base);
-                                       if ((flags & SCAN_UNSIGNED) && (value < 0)) {
-                                               sprintf(buf, "%u", value); /* INTL: ISO digit */
--                                              if (numVars) {
-+                                              if (numVars && objIndex >= argCount) {
-+                                                      break;
-+                                              } else if (numVars) {
-                                                 /* change passed value type to string */
-                                                  current = args[objIndex++];
-                                                  convert_to_string( *current );
-@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                                       add_index_string(*return_value, objIndex++, buf, 1);
-                                               }
-                                       } else {
--                                              if (numVars) {
-+                                              if (numVars && objIndex >= argCount) {
-+                                                      break;
-+                                              } else if (numVars) {
-                                                       current = args[objIndex++];
-                                                       convert_to_long( *current );
-                                                       Z_LVAL(**current) = value;
-@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                       double dvalue;
-                                       *end = '\0';
-                                       dvalue = zend_strtod(buf, NULL);
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               current = args[objIndex++];
-                                               convert_to_double( *current );
-                                               Z_DVAL_PP( current ) = dvalue;
>Release-Note:
>Audit-Trail:
>Unformatted: