PHP 5.2.17 developers do not fix critical issues in PHP 5.2.x because PHP 5.2.x is EOL As far as I know lang/php52 port will be deleted soon due to insecurity. I propose a solution that will fix it CentALT maintainer made backports from PHP 5.3.x to PHP 5.2 (http://centos.alt.ru/?p=571) for fix some issues and vulnerabilities. I get CVE patches from http://centos.alt.ru/?p=566 php-5.2.17-7.el5.src.rpm and add to port as option for install and fix this problems CVE-2011-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202 The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability." CVE-2011-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. CVE-2011-1148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148 Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments. CVE-2011-0708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0708 exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read. CVE-2011-1092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1092 Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function. CVE-2011-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a locateName or statName operation. I planed to take patches from newer versions of PHP from centos.alt.ru and add them to the port of PHP 5.2.17 while in the port there is any the need Operability the port has been tested in the assembly and basic applications on FreeBSD 8.2 amd64. If backports cause any problem they can be easily disabled. Fix: Apply patch to lang/php52. With these patches port is completely secure and remove from it mark as it vulnerable (http://www.freshports.org/lang/php52/ vulnerable mark) Port summary: - security fixes for CVE-2011-2202, CVE-2011-1938, CVE-2011-1148, CVE-2011-0708, CVE-2011-1092, CVE-2011-0421 vulnerabilities - option BACKPORTS in port config for enable port patches (enabled by default) - bump PORTREVISION Patch attached with submission follows:
Maintainer of lang/php52, Please note that PR ports/160805 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/160805 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Please, commit this.
State Changed From-To: feedback->open Maintainer approved.
somebody, commit this or say - why no?
State Changed From-To: open->feedback secteam, please review and give an opinion as to whether this will clear the vulnerabilities. It's not clear to me why keeping 5.2 after its EOL is a feature, but if you guys decide it's Ok to keep it with these patches I'm not opposed. FYI, it's scheduled for deletion on 2011-10-14.
Responsible Changed From-To: freebsd-ports-bugs->secteam Security ... it's not just a job, it's an adventure.
State Changed From-To: feedback->open Maintainer approved security patch.
Responsible Changed From-To: secteam->delphij Take.
delphij 2011-09-29 17:53:25 UTC FreeBSD ports repository Modified files: lang/php52 Makefile distinfo Log: - security fixes for CVE-2011-2202, CVE-2011-1938, CVE-2011-1148, CVE-2011-0708, CVE-2011-1092, CVE-2011-0421 vulnerabilities - option BACKPORTS in port config for enable port patches (enabled by default) - bump PORTREVISION Submitted by: Svyatoslav Lempert <svyatoslav.lempert gmail.com> PR: ports/160805 Approved by: maintainer Revision Changes Path 1.22 +16 -3 ports/lang/php52/Makefile 1.9 +12 -0 ports/lang/php52/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!