FreeBSD Mail Archives

Date:      Thu, 7 Oct 2004 19:40:23 +0700 (NOVST)
From:      Dmitry A Grigorovich <odip@bionet.nsc.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        ale@FreeBSD.org
Subject:   ports/72420: [PATCH] Fix security bugs in php4-4.3.8_2 and more
Message-ID:  <200410071240.i97CeNI8014823@pierino.bionet.nsc.ru>
Resent-Message-ID: <200410071250.i97CoPxF029898@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         72420
>Category:       ports
>Synopsis:       [PATCH] Fix security bugs in php4-4.3.8_2 and more
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 07 12:50:24 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry A Grigorovich
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
ICIG SB RAS
>Environment:
System: FreeBSD pierino.bionet.nsc.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #5: Sat Oct 4 02:28:14 NOVST 2003 root@pierino.bionet.nsc.ru:/usr/obj/usr/src/sys/ODIP i386

>Description:

1)
Affected package: mod_php4-4.3.8_2,1
Type of problem: php -- vulnerability in RFC 1867 file upload processing.
Reference: <http://www.FreeBSD.org/ports/portaudit/562a3fdf-16d6-11d9-bc4a-000c41e2cdad.html>;

2)
Affected package: mod_php4-4.3.8_2,1
Type of problem: php -- php_variables memory disclosure.
Reference: <http://www.FreeBSD.org/ports/portaudit/ad74a1bd-16d2-11d9-bc4a-000c41e2cdad.html>;

3)
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/72275

>How-To-Repeat:

See 1), 2), 3)

>Fix:

Follow patch contain files:

patch-Mk
patch-php4_variables.c
patch-rfc1867.c
patch-php-port

Type:

cd /usr/ports
patch <.../patch-Mk
patch <.../patch-php-port
cd /usr/ports/lang/php4/files
cp .../patch-php4_variables.c .
cp .../patch-rfc1867.c .

Files patch-php4_variables.c and patch-rfc1867.c
is diff betweeen php-4.3.8 and php-4.3.9 ( see it )
Problems (1) and (2) fixed in cvs.php between releases 4.3.8 and 4.3.9

Remove mod_php4, php4-extensions, php4-* subports
Install mod_php4, php4-extensions, php4-* subports

begin 644 patch-php4.tar.bz2
M0EIH.3%!6293660TE^8`"IG_C/FQ`%1________?_O_O__X``0``@`A@"PX.
MN^/>DM>J6UKS8V<X"2M4)=LHY'<PX))(R)HIY-H$:>I@1-JGLDU/32/U,C)/
M4/U&4\HS4-/U1M1H/$C]4&B4V(TRFT$U3::33`T```3"-#`````$P-4]&FBG
ME(TVD])IHTT``/4``T```````!(20FDQ-1L35'B-3:3"-/4]3(T8FAH``!Z@
MT``!PQ&FF@T`:````&@R#30-`!HT`8AH!)(F3(`@:3:(F-"I[U*>FI^J>4>I
MHWJ(]3]4'I#0`T]0:&GHAJ^"/:?'3@PAXY%(BLYAD"&I`D!6&$_<)-QY;'U@
MO2+[ZD[&%TU6$8Y&FQ-L6*&I"*`A-`J!E$B$@.3M=:Y%==R2,8VF-U(VFTV1
MQIMG+*=@EJ8ZA*DO"YN@JE<RI$4Z8,NJ!0-QHN3&T-C6K7]4>SGLKKPRM+%I
ML*0P'(FP_S-U,/1_OMWRG?.&JR,R"R5R/,D8.4(0.,S1CWM#$6"43E=@4KK8
M/P+&1-.]EOQ<O:[G'O'\VZF3+X^3#H:F/C'HIC4&-CF_-5K'2A!B/M0UQ/-+
M4RK\['O/5$*VS1-N&R2F9L-$%REBAI);,-/T^:RBS"JAW3':)Z%R$),$T,).
M#H.<<HZ%Q=Y-1[GK_'`WG@$7&35E(3"D_U<X<QSC28;.PW>`YKRV;(/H8FB;
M(9@^-C7QA-W@;&/-$G3,YKF/1PKG7C8<,S\A!V82_R<H`PA]N[6XLV-SO`'[
M^WY-FV[1<HQ5PA'32E*HMJ$'F1DAF2/P2D?$,.[%7WJ7]6BQK(FFIBU@8S*6
M$LCLCVB/+1:G:UQ[,0]@I^(Q!\#6KY2'`T+^/0_P4'06?BR!`JY)=J]@W=F]
M^]\[VQ8)\M=4DHMQMG6=O5<Q!]0:,5XDMD70IP.\PG90R4>+<B*XF$;0L1FA
M%*W1GTGD4R,)/:$(0!NS*#0)6/<,=S2$DVO?.)#"@)DZRJ2'`6+FVC,0A"D=
MM>S&.YJI":!*:WR;`S_]QG$$C)+:W$'WAS\-.CXK.ETB<#(^*A!UL+6P?&OP
M060/*"U=9C"@(C0/4NTB07Q#",%[G\/JM0CM9'\S#2$%982N,!,#WPXIG[,)
M=/M6QK7=S87T^<_'M\GH9M!HZ3V4Z9L=KLV2M+W+R95)EEFI:7Q^*.;#.P#=
M3`M#&PF9F6=(#2,J791&AHT:^;(K)%XE>OU4&J05T@XNT=8WC>:;"T12V(L_
M'[&]9T.<[H>1O.B&.-TLKX#NFV&.TE;.9#,C5$,:Y$08RH\R@$BQLD/7H+KZ
M>\HO.42>J1]2;EH%R-;EC(EI3<C6;?WTS@&>"B'#Q\`VVV,ZNQ6%;6A?YWT#
M/"P,9$Y!>0[TARI&)XU,W;J\K<DV)BQ8BQ],\!AAK!FUHR^X<&&BX[K+XC`%
MP*NU.Y)<[N@^&/="$1);DE(2\8!S'S^'H]TB*&5TWU&MUTH%3SL-LM?G5F,E
M]YAAXG$<7G0P9X,<@9T<EY&B),J&7&F924B_<ZZATR`USGP)$AZS$Q0V(Y!:
MI+-$(_EF.`Y"LT31@P*B@1-F1!"$&(7/D9'59"407"QC`;+`.:((B?2N!\LD
M(E,&I0<FHR)*W`R$DKX5&,<J[3@\AA>6,,0?88;C18*T-%)B*AC&%I4H%-]\
M1$I65DQ[&AB3/A:3>M`K:'0H#''%FE:%8C(54B%%0L%`L>!55@*N5+WF0AHQ
MK>3QO+*@KI%`I<,-"#[:6>/+RNMAI8<CJ.X/,;'3F<M8.JI>'`P^HI*#"`L*
M:-/V_UO7HQK)Z6F@4^*$FE^'J6YJT\-K5.!SUH]_<Z2->A[AW[3S2ZT9L]C;
M.]XV-C;;&8I8R)TR`5K.^.*D+N^+NS;;S-)N^\"56$O2)4^O^Y)\!ZZ8R[PT
M"XQ]18B45F4C>ZF1.V&<]E`B`:HG$*@#E'\=%3YFZNY>_N>)=8$W>\8&[I%&
M>P<L(,E[/F#2#RZQP<,=*V80$\(4'%HVK!5W;;`!P^%Z\58%JN1I'&]1_4']
MZLXYM%@Q,3>SL<S+@?(N:V&4C9L6^I>L"N9^,ISU+/<\!ZT!`'BY[9F2MC2L
M%>8A/4E%CZ2H.D[!YY[P,!.C6E6DV#]7-!/K'5"5DEJ)K)6;GO#CC@12M9PY
M@U(R-09T/39VJP"P4UUL65EY>*74*\F9S6]KU(@Q4BL4+W6'O+X%25N&E6J<
M=*QVV:1EEJVQH#$8(D8@GVE`P5#B#GY&;-&ETO1YT,B_43%FBQL7,_#P=:L$
MR@R=30;8U0PFN4$@/#RHSKZ.KT:0Y2"K^]N0B5YE$*"@&.@J9S>'YW#,<D=/
MZR:P9*<9^T#!K>(1C`[0*)1^8?Z75!@XW^2Q(]]%X&NM$3Y![#L`[_ZQI<`%
MQTJ+/97VVF2)[*D91ST6TUN[=8&2K?U[N4[?-)K84V_:!0Z[15`&QS_F*<L:
M(OPZS7-(T9QBUQ5S=4UY)IPWM,I;>8-E^4SY4VF#"']8,;B<@65C44!ZP>+H
MF6'M)/>0$?/[,M(C0$#A>501QV8&+-64I2'5-TDVW7NA]&[RZO+[(YU+"*;F
M%Q:<9<USC`''W:CZJ_.!>%E?EI>[G\FXQQO9)8#$DBUDSB1+I<Y_L&+Y`M*3
M"^%5(L+K(8TZQ_2$?*^=CC=-Q!CE`!ZLW)M1PQK,QU9#-WVF7,C:#'J$<Z%H
M!@#D,3=8)Y?1:I-TL%XP4+?D1K:<R)H>Y(R<7W4C:+H,Z;$P&QQY:4;4DX#E
MK<XD()ILCR,MP'`M:66)M[19PQ6ZTMW=D9VI:KS':'4,6,EMJ+1N+)D='T#_
M@N&D&G>K8[[]H+:X1U^68%>VE45:-=+TST8MSFW210%'<$`8=04N4M-9%03"
MD&`':8"PRPY+37C!57$:M@C2<JSAU1;&/FB,Z,NHWHU!%/&:XH3TJ4;_(0N-
M/_7R;0!KZMTK\F#7EM5LPW1L635!-I<S7J&RC4<3@1#L2KY8TO:X#-YF[+U[
M@6B@T%32[-4(&#%"(T%L"D[)$@AU3O&KTA#7/LG)(&9%0KG.$8"L8[5%YM0-
MFCWHT9AX7!'GL+-89EO8,XN;VC)XAZX5^/0&G$&*]UX;2_)`_T$KN^G[#Q%/
M7F8'FX@]^:A5)P,^NT20JSB,(@]DLQ2;(;V??U?)\C-9KF`"K[H4,J'4+\8R
M]3<$&$PF'&0"W9BN@-"TG%VC;D3WBWR9+>M9'4SK#5%J%]F(<)2*2-*9RB4)
MR)5/_31)J3@8P@)4ERU>IHZQH%25LN*'."RXXWA^CMF@BAI,CN>;&FP:AJ^T
MH>A[)/K<,R@'`/6:1^C(O"XR+%6L+>#[@%,2P[5S@PKPR!I\XYA,@3M>8+<H
M@*N4Y#PX\1O-(4VIW*S65>G8VO]&9GUTXFN'4NFM#V:7+8$WNC?JHK(\48JR
M:=\2+;$B8EDQBK$Z9N`I(A0ZU*/?)AF&2<7(@[5J#LALZW%@P<+\`%BUIW/.
M]R*..2\#[ZS])XQ#Y?Q84H,>X#D0T'*%/_D;'^X-9MKI3">&6M?`^R(;^YQ@
ME5O>K1EFQ4VNM'.F3SY0<.&`-Z,XQAA?ZG*BCM>J4J&-*Y>J;Y(1^:$%K5J<
L>`\<2!/D]NN9'P90Q2-V=7V.>;K8VIDD:E3(['D2*8(7_B[DBG"A(,AI+\P`
`
end


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410071240.i97CeNI8014823>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation