Bug 164849 - [update] lang/php52 security fixes
Summary: [update] lang/php52 security fixes
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Ruslan Makhmatkhanov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-07 13:50 UTC by Svyatoslav Lempert
Modified: 2012-05-15 15:20 UTC (History)
0 users

See Also:


Attachments
file.diff (16.28 KB, patch)
2012-02-07 13:50 UTC, Svyatoslav Lempert
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Svyatoslav Lempert 2012-02-07 13:50:12 UTC
Large number of changes in port and patch for ports tree for patchfiles in 'files' folders on slave ports because security patch must be applied to all - see 
http://lists.freebsd.org/pipermail/freebsd-ports/2012-February/072834.html (this topic is not answered, but I do not find other way - changed relative path to the working directory).
Now all security fixes is ok, I checked it.

Port commiters, please (re)move EXPIRATION_DATE to future - port is secure and install on my statistics about 1,000 people a month.

Thank you in advance

Changes:

- security fixes CVE-2012-0830, CVE-2011-1466, CVE-2011-1471 in 20120203 security patchset
- security problem fix for PHP extensions (now all security patches applied)
- php52-backports patch allways installed now

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2012-02-07 13:50:20 UTC
Maintainer of lang/php52,

Please note that PR ports/164849 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/164849

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2012-02-07 13:50:22 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 admin 2012-02-07 15:28:02 UTC
please, commit this patch
Comment 4 Philip M. Gollucci freebsd_committer freebsd_triage 2012-02-10 01:24:03 UTC
State Changed
From-To: feedback->open

Maintainer approved
Comment 5 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2012-02-23 09:29:50 UTC
Responsible Changed
From-To: freebsd-ports-bugs->rm

I will take it.
Comment 6 Michael Scheidell freebsd_committer freebsd_triage 2012-05-05 12:25:33 UTC
Further fixes are needed.

see <http://www.vuxml.org/freebsd/60de13d5-95f0-11e1-806a-001143cd36d8.html>

php.net has not released a fix for 5.2 yet.

-- 
Michael Scheidell, CTO
 >*| * SECNAP Network Security Corporation
d: +1.561.948.2259
w: http://people.freebsd.org/~scheidell
Comment 7 dfilter service freebsd_committer freebsd_triage 2012-05-05 16:18:31 UTC
rm          2012-05-05 15:18:09 UTC

  FreeBSD ports repository

  Modified files:
    converters/php52-mbstring/files patch-config.m4 
                                    patch-oniguruma_regerror.c 
    databases/php52-dba/files patch-config.m4 
    databases/php52-oci8/files patch-config.m4 
    databases/php52-odbc/files patch-config.m4 
    databases/php52-pdo_oci/files patch-config.m4 
    databases/php52-pdo_sqlite/files patch-sqlite_statement.c 
    databases/php52-pgsql/files patch-pgsql.c 
    databases/php52-sqlite/files patch-config.m4 
    devel/php52-gettext/files patch-config.m4 
    devel/php52-pcre/files patch-php_pcre.c 
    devel/php52-readline/files patch-config.m4 
    devel/php52-spl/files patch-config.m4 
    graphics/php52-gd/files patch-config.m4 patch-libgd_gd_png.c 
    lang/php52           Makefile Makefile.ext 
    math/php52-gmp/files patch-gmp.c 
    net/php52-soap/files patch-soap.c 
    security/php52-filter/files patch-config.m4 
    sysutils/php52-posix/files patch-posix.c 
    textproc/php52-wddx/files patch-config.m4 patch-wddx.c 
    textproc/php52-xml/files patch-compat.c 
    textproc/php52-xsl/files patch-php_xsl.h 
  Log:
  - apply BACKPORTS patch unconditionally and remove BACKPORTS option
  - update backports patch to latest version (20120504)
  - align pathnames in slave ports
  - bump PORTREVISION
  
  The only drawback of this change is that now for building of every slave
  port (php extension) we extracting full php52 source tree.
  
  Apologies that it took that long.
  
  PR:             164849
  Submitted by:   Svyatoslav Lempert <svyatoslav.lempert at gmail dot com>
  Approved by:    Alex Keda <admin at lissyara dot su>
  Security:       60de13d5-95f0-11e1-806a-001143cd36d8
  
  Revision  Changes    Path
  1.2       +2 -2      ports/converters/php52-mbstring/files/patch-config.m4
  1.2       +2 -2      ports/converters/php52-mbstring/files/patch-oniguruma_regerror.c
  1.3       +2 -2      ports/databases/php52-dba/files/patch-config.m4
  1.2       +2 -2      ports/databases/php52-oci8/files/patch-config.m4
  1.2       +2 -2      ports/databases/php52-odbc/files/patch-config.m4
  1.2       +2 -2      ports/databases/php52-pdo_oci/files/patch-config.m4
  1.2       +2 -2      ports/databases/php52-pdo_sqlite/files/patch-sqlite_statement.c
  1.2       +2 -2      ports/databases/php52-pgsql/files/patch-pgsql.c
  1.2       +2 -2      ports/databases/php52-sqlite/files/patch-config.m4
  1.2       +2 -2      ports/devel/php52-gettext/files/patch-config.m4
  1.3       +2 -2      ports/devel/php52-pcre/files/patch-php_pcre.c
  1.2       +2 -2      ports/devel/php52-readline/files/patch-config.m4
  1.2       +2 -2      ports/devel/php52-spl/files/patch-config.m4
  1.2       +2 -2      ports/graphics/php52-gd/files/patch-config.m4
  1.2       +2 -2      ports/graphics/php52-gd/files/patch-libgd_gd_png.c
  1.29      +7 -10     ports/lang/php52/Makefile
  1.16      +10 -8     ports/lang/php52/Makefile.ext
  1.2       +2 -2      ports/math/php52-gmp/files/patch-gmp.c
  1.2       +2 -2      ports/net/php52-soap/files/patch-soap.c
  1.2       +2 -2      ports/security/php52-filter/files/patch-config.m4
  1.2       +2 -2      ports/sysutils/php52-posix/files/patch-posix.c
  1.2       +2 -2      ports/textproc/php52-wddx/files/patch-config.m4
  1.2       +2 -2      ports/textproc/php52-wddx/files/patch-wddx.c
  1.2       +2 -2      ports/textproc/php52-xml/files/patch-compat.c
  1.2       +2 -2      ports/textproc/php52-xsl/files/patch-php_xsl.h
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 8 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2012-05-05 16:25:15 UTC
State Changed
From-To: open->closed

Committed, thank you!
Comment 9 Michael Scheidell freebsd_committer freebsd_triage 2012-05-15 15:19:16 UTC
Q:

does
CVE-2006-7243 still apply to backports?
<http://www.vuxml.org/freebsd/CVE-2006-7243.html>

Affected package: php52-5.2.17_8
Type of problem: php -- NULL byte poisoning.
Reference: 
http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html


  I saw no reference to CVE-2006-7243 in 
<http://code.google.com/p/php52-backports/>


-- 
Michael Scheidell, CTO
 >*| * SECNAP Network Security Corporation
d: +1.561.948.2259
w: http://people.freebsd.org/~scheidell