Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Aug 2006 07:01:42 GMT
From:      dawnshade <h-k@mail.ru>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/101864: [PATCH] lang/php4 4.4.3 security problem
Message-ID:  <200608120701.k7C71gQ5063541@www.freebsd.org>
Resent-Message-ID: <200608120710.k7C7A5cd079261@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         101864
>Category:       ports
>Synopsis:       [PATCH] lang/php4 4.4.3 security problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 12 07:10:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     dawnshade
>Release:        6.1-RELEASE
>Organization:
-
>Environment:
FreeBSD mail.host.ru 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jul  2 10:34:26 MSD 2006     root@mail.host.ru:/usr/src/sys/i386/compile/mail_kern_8  i386
>Description:
lang/php 4.4.3 have security problem, which fixed only in CVS.
Advisory: http://secunia.com/advisories/21403/
Original bug: http://bugs.php.net/bug.php?id=38322
Patch from vendor: http://tony2001.phpclub.net/dev/tmp/bug38322.diff
>How-To-Repeat:
-
>Fix:
Apply following patch:

mail# diff -ruN php4 php4.old 
diff -ruN php4/Makefile php4.old/Makefile
--- php4/Makefile       Sat Aug 12 10:54:14 2006
+++ php4.old/Makefile   Tue Aug  8 16:56:10 2006
@@ -7,7 +7,7 @@
 
 PORTNAME=      php4
 PORTVERSION=   4.4.3
-PORTREVISION?= 1
+PORTREVISION?= 0
 CATEGORIES?=   lang devel www
 MASTER_SITES=  ${MASTER_SITE_PHP:S,$,:release,} \
                http://downloads.php.net/ilia/:rc \
diff -ruN php4/patch-scanf.c php4.old/patch-scanf.c
--- php4/patch-scanf.c  Fri Aug  4 13:27:18 2006
+++ php4.old/patch-scanf.c      Thu Jan  1 03:00:00 1970
@@ -1,73 +0,0 @@
-Index: ext/standard/scanf.c
-===================================================================
-RCS file: /repository/php-src/ext/standard/scanf.c,v
-retrieving revision 1.31.2.2
-diff -u -p -d -r1.31.2.2 scanf.c
---- ext/standard/scanf.c       1 Jan 2006 12:50:15 -0000       1.31.2.2
-+++ ext/standard/scanf.c       4 Aug 2006 09:26:55 -0000
-@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal(    char *st
-               switch (*ch) {
-                       case 'n':
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               zend_uint refcount;
- 
-                                               current = args[objIndex++];
-@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal(    char *st
-                                       }
-                               }
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               zend_uint refcount;
- 
-                                               current = args[objIndex++];
-@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal(    char *st
-                                       goto done;
-                               }
-                               if (!(flags & SCAN_SUPPRESS)) {
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               current = args[objIndex++];
-                                               zval_dtor( *current );
-                                               ZVAL_STRINGL( *current, string, end-string, 1);
-@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                       value = (int) (*fn)(buf, NULL, base);
-                                       if ((flags & SCAN_UNSIGNED) && (value < 0)) {
-                                               sprintf(buf, "%u", value); /* INTL: ISO digit */
--                                              if (numVars) {
-+                                              if (numVars && objIndex >= argCount) {
-+                                                      break;
-+                                              } else if (numVars) {
-                                                 /* change passed value type to string */
-                                                  current = args[objIndex++];
-                                                  convert_to_string( *current );
-@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                                       add_index_string(*return_value, objIndex++, buf, 1);
-                                               }
-                                       } else {
--                                              if (numVars) {
-+                                              if (numVars && objIndex >= argCount) {
-+                                                      break;
-+                                              } else if (numVars) {
-                                                       current = args[objIndex++];
-                                                       convert_to_long( *current );
-                                                       Z_LVAL(**current) = value;
-@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal(  char *st
-                                       double dvalue;
-                                       *end = '\0';
-                                       dvalue = zend_strtod(buf, NULL);
--                                      if (numVars) {
-+                                      if (numVars && objIndex >= argCount) {
-+                                              break;
-+                                      } else if (numVars) {
-                                               current = args[objIndex++];
-                                               convert_to_double( *current );
-                                               Z_DVAL_PP( current ) = dvalue;
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608120701.k7C71gQ5063541>