aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2012-01-10 15:55:45 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2012-01-10 15:56:44 +0000
commit651558b41f361eb94133a5a1c1c9f767e9574036 (patch)
tree7e9afd9363bf00297b06740a7d6473e9ebd36ce7
parentaec8070d40f61980210134fec4b6ef9ba937a5a7 (diff)
downloadalpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.bz2
alpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.xz
alpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.zip
main/php: security fix (CVE-2011-4885)
fixes #919 (cherry picked from commit 048cf16b51fd845e1c8aeb09437cec687e83228f)
-rw-r--r--main/php/APKBUILD4
-rw-r--r--main/php/max_input_vars.patch63
2 files changed, 66 insertions, 1 deletions
diff --git a/main/php/APKBUILD b/main/php/APKBUILD
index 0162ca2292..d8a0bbe8e6 100644
--- a/main/php/APKBUILD
+++ b/main/php/APKBUILD
@@ -3,7 +3,7 @@
3pkgname=php 3pkgname=php
4pkgver=5.3.8 4pkgver=5.3.8
5_suhosinver=5.3.7-0.9.10 5_suhosinver=5.3.7-0.9.10
6pkgrel=1 6pkgrel=2
7pkgdesc="The PHP language runtime engine" 7pkgdesc="The PHP language runtime engine"
8url="http://www.php.net/" 8url="http://www.php.net/"
9arch="all" 9arch="all"
@@ -73,6 +73,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-common $pkgname-cgi
73 73
74# http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz 74# http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz
75source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2 75source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2
76 max_input_vars.patch
76 php-install-pear-xml.patch 77 php-install-pear-xml.patch
77 suhosin-patch-${_suhosinver}.patch 78 suhosin-patch-${_suhosinver}.patch
78 php-fpm.initd 79 php-fpm.initd
@@ -443,6 +444,7 @@ mssql() { _mv_ext mssql; }
443pdo_dblib() { _mv_ext pdo_dblib "php-pdo freetds"; } 444pdo_dblib() { _mv_ext pdo_dblib "php-pdo freetds"; }
444 445
445md5sums="704cd414a0565d905e1074ffdc1fadfb php-5.3.8.tar.bz2 446md5sums="704cd414a0565d905e1074ffdc1fadfb php-5.3.8.tar.bz2
447031c6fdcfbd45366fea32b697893d511 max_input_vars.patch
4465111e3be06d391f8772587c675240fab php-install-pear-xml.patch 4485111e3be06d391f8772587c675240fab php-install-pear-xml.patch
4478bd8840465d6bcd8e1e5d2cec80a1bfc suhosin-patch-5.3.7-0.9.10.patch 4498bd8840465d6bcd8e1e5d2cec80a1bfc suhosin-patch-5.3.7-0.9.10.patch
4488f2bb2b744a2de50025842cb51fb6a3a php-fpm.initd 4508f2bb2b744a2de50025842cb51fb6a3a php-fpm.initd
diff --git a/main/php/max_input_vars.patch b/main/php/max_input_vars.patch
new file mode 100644
index 0000000000..8366a3dd6b
--- /dev/null
+++ b/main/php/max_input_vars.patch
@@ -0,0 +1,63 @@
1Index: PHP_5_3/NEWS
2===================================================================
3--- PHP_5_3/NEWS (revision 321037)
4+++ PHP_5_3/NEWS (revision 321038)
5@@ -2,6 +2,10 @@
6 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 ?? ??? 2011, PHP 5.3.9
8
9+- Core:
10+ . Added max_input_vars directive to prevent attacks based on hash collisions
11+ (Dmitry).
12+
13 - Streams:
14 . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together
15 with the last read). (Gustavo)
16Index: PHP_5_3/main/php_variables.c
17===================================================================
18--- PHP_5_3/main/php_variables.c (revision 321037)
19+++ PHP_5_3/main/php_variables.c (revision 321038)
20@@ -191,6 +191,9 @@
21 }
22 if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
23 || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
24+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
25+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
26+ }
27 MAKE_STD_ZVAL(gpc_element);
28 array_init(gpc_element);
29 zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
30@@ -236,6 +239,9 @@
31 zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
32 zval_ptr_dtor(&gpc_element);
33 } else {
34+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
35+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
36+ }
37 zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
38 }
39 if (escaped_index != index) {
40Index: PHP_5_3/main/main.c
41===================================================================
42--- PHP_5_3/main/main.c (revision 321037)
43+++ PHP_5_3/main/main.c (revision 321038)
44@@ -512,6 +512,7 @@
45 STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
46 STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
47 STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
48+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
49
50 STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
51 STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
52--- ./main/php_globals.h.orig
53+++ ./main/php_globals.h
54@@ -170,6 +170,9 @@
55 char *mail_log;
56
57 zend_bool in_error_log;
58+
59+ long max_input_vars;
60+
61 };
62
63