diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2012-01-10 15:55:45 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-01-10 15:56:44 +0000 |
commit | 651558b41f361eb94133a5a1c1c9f767e9574036 (patch) | |
tree | 7e9afd9363bf00297b06740a7d6473e9ebd36ce7 | |
parent | aec8070d40f61980210134fec4b6ef9ba937a5a7 (diff) | |
download | alpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.bz2 alpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.xz alpine_aports-651558b41f361eb94133a5a1c1c9f767e9574036.zip |
main/php: security fix (CVE-2011-4885)
fixes #919
(cherry picked from commit 048cf16b51fd845e1c8aeb09437cec687e83228f)
-rw-r--r-- | main/php/APKBUILD | 4 | ||||
-rw-r--r-- | main/php/max_input_vars.patch | 63 |
2 files changed, 66 insertions, 1 deletions
diff --git a/main/php/APKBUILD b/main/php/APKBUILD index 0162ca2292..d8a0bbe8e6 100644 --- a/main/php/APKBUILD +++ b/main/php/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | pkgname=php | 3 | pkgname=php |
4 | pkgver=5.3.8 | 4 | pkgver=5.3.8 |
5 | _suhosinver=5.3.7-0.9.10 | 5 | _suhosinver=5.3.7-0.9.10 |
6 | pkgrel=1 | 6 | pkgrel=2 |
7 | pkgdesc="The PHP language runtime engine" | 7 | pkgdesc="The PHP language runtime engine" |
8 | url="http://www.php.net/" | 8 | url="http://www.php.net/" |
9 | arch="all" | 9 | arch="all" |
@@ -73,6 +73,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-common $pkgname-cgi | |||
73 | 73 | ||
74 | # http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz | 74 | # http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz |
75 | source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2 | 75 | source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2 |
76 | max_input_vars.patch | ||
76 | php-install-pear-xml.patch | 77 | php-install-pear-xml.patch |
77 | suhosin-patch-${_suhosinver}.patch | 78 | suhosin-patch-${_suhosinver}.patch |
78 | php-fpm.initd | 79 | php-fpm.initd |
@@ -443,6 +444,7 @@ mssql() { _mv_ext mssql; } | |||
443 | pdo_dblib() { _mv_ext pdo_dblib "php-pdo freetds"; } | 444 | pdo_dblib() { _mv_ext pdo_dblib "php-pdo freetds"; } |
444 | 445 | ||
445 | md5sums="704cd414a0565d905e1074ffdc1fadfb php-5.3.8.tar.bz2 | 446 | md5sums="704cd414a0565d905e1074ffdc1fadfb php-5.3.8.tar.bz2 |
447 | 031c6fdcfbd45366fea32b697893d511 max_input_vars.patch | ||
446 | 5111e3be06d391f8772587c675240fab php-install-pear-xml.patch | 448 | 5111e3be06d391f8772587c675240fab php-install-pear-xml.patch |
447 | 8bd8840465d6bcd8e1e5d2cec80a1bfc suhosin-patch-5.3.7-0.9.10.patch | 449 | 8bd8840465d6bcd8e1e5d2cec80a1bfc suhosin-patch-5.3.7-0.9.10.patch |
448 | 8f2bb2b744a2de50025842cb51fb6a3a php-fpm.initd | 450 | 8f2bb2b744a2de50025842cb51fb6a3a php-fpm.initd |
diff --git a/main/php/max_input_vars.patch b/main/php/max_input_vars.patch new file mode 100644 index 0000000000..8366a3dd6b --- /dev/null +++ b/main/php/max_input_vars.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | Index: PHP_5_3/NEWS | ||
2 | =================================================================== | ||
3 | --- PHP_5_3/NEWS (revision 321037) | ||
4 | +++ PHP_5_3/NEWS (revision 321038) | ||
5 | @@ -2,6 +2,10 @@ | ||
6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| | ||
7 | ?? ??? 2011, PHP 5.3.9 | ||
8 | |||
9 | +- Core: | ||
10 | + . Added max_input_vars directive to prevent attacks based on hash collisions | ||
11 | + (Dmitry). | ||
12 | + | ||
13 | - Streams: | ||
14 | . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together | ||
15 | with the last read). (Gustavo) | ||
16 | Index: PHP_5_3/main/php_variables.c | ||
17 | =================================================================== | ||
18 | --- PHP_5_3/main/php_variables.c (revision 321037) | ||
19 | +++ PHP_5_3/main/php_variables.c (revision 321038) | ||
20 | @@ -191,6 +191,9 @@ | ||
21 | } | ||
22 | if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE | ||
23 | || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { | ||
24 | + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { | ||
25 | + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); | ||
26 | + } | ||
27 | MAKE_STD_ZVAL(gpc_element); | ||
28 | array_init(gpc_element); | ||
29 | zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); | ||
30 | @@ -236,6 +239,9 @@ | ||
31 | zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { | ||
32 | zval_ptr_dtor(&gpc_element); | ||
33 | } else { | ||
34 | + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { | ||
35 | + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); | ||
36 | + } | ||
37 | zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); | ||
38 | } | ||
39 | if (escaped_index != index) { | ||
40 | Index: PHP_5_3/main/main.c | ||
41 | =================================================================== | ||
42 | --- PHP_5_3/main/main.c (revision 321037) | ||
43 | +++ PHP_5_3/main/main.c (revision 321038) | ||
44 | @@ -512,6 +512,7 @@ | ||
45 | STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) | ||
46 | STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) | ||
47 | STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) | ||
48 | + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) | ||
49 | |||
50 | STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) | ||
51 | STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) | ||
52 | --- ./main/php_globals.h.orig | ||
53 | +++ ./main/php_globals.h | ||
54 | @@ -170,6 +170,9 @@ | ||
55 | char *mail_log; | ||
56 | |||
57 | zend_bool in_error_log; | ||
58 | + | ||
59 | + long max_input_vars; | ||
60 | + | ||
61 | }; | ||
62 | |||
63 | |||