From 048cf16b51fd845e1c8aeb09437cec687e83228f Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 10 Jan 2012 15:55:45 +0000 Subject: main/php: security fix (CVE-2011-4885) fixes #918 --- main/php/APKBUILD | 4 ++- main/php/max_input_vars.patch | 63 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 main/php/max_input_vars.patch (limited to 'main/php') diff --git a/main/php/APKBUILD b/main/php/APKBUILD index 0162ca2292..d8a0bbe8e6 100644 --- a/main/php/APKBUILD +++ b/main/php/APKBUILD @@ -3,7 +3,7 @@ pkgname=php pkgver=5.3.8 _suhosinver=5.3.7-0.9.10 -pkgrel=1 +pkgrel=2 pkgdesc="The PHP language runtime engine" url="http://www.php.net/" arch="all" @@ -73,6 +73,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-common $pkgname-cgi # http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2 + max_input_vars.patch php-install-pear-xml.patch suhosin-patch-${_suhosinver}.patch php-fpm.initd @@ -443,6 +444,7 @@ mssql() { _mv_ext mssql; } pdo_dblib() { _mv_ext pdo_dblib "php-pdo freetds"; } md5sums="704cd414a0565d905e1074ffdc1fadfb php-5.3.8.tar.bz2 +031c6fdcfbd45366fea32b697893d511 max_input_vars.patch 5111e3be06d391f8772587c675240fab php-install-pear-xml.patch 8bd8840465d6bcd8e1e5d2cec80a1bfc suhosin-patch-5.3.7-0.9.10.patch 8f2bb2b744a2de50025842cb51fb6a3a php-fpm.initd diff --git a/main/php/max_input_vars.patch b/main/php/max_input_vars.patch new file mode 100644 index 0000000000..8366a3dd6b --- /dev/null +++ b/main/php/max_input_vars.patch @@ -0,0 +1,63 @@ +Index: PHP_5_3/NEWS +=================================================================== +--- PHP_5_3/NEWS (revision 321037) ++++ PHP_5_3/NEWS (revision 321038) +@@ -2,6 +2,10 @@ + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ?? ??? 2011, PHP 5.3.9 + ++- Core: ++ . Added max_input_vars directive to prevent attacks based on hash collisions ++ (Dmitry). ++ + - Streams: + . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together + with the last read). (Gustavo) +Index: PHP_5_3/main/php_variables.c +=================================================================== +--- PHP_5_3/main/php_variables.c (revision 321037) ++++ PHP_5_3/main/php_variables.c (revision 321038) +@@ -191,6 +191,9 @@ + } + if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE + || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { ++ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); ++ } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); +@@ -236,6 +239,9 @@ + zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { + zval_ptr_dtor(&gpc_element); + } else { ++ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); ++ } + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } + if (escaped_index != index) { +Index: PHP_5_3/main/main.c +=================================================================== +--- PHP_5_3/main/main.c (revision 321037) ++++ PHP_5_3/main/main.c (revision 321038) +@@ -512,6 +512,7 @@ + STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) + STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) ++ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) + + STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) +--- ./main/php_globals.h.orig ++++ ./main/php_globals.h +@@ -170,6 +170,9 @@ + char *mail_log; + + zend_bool in_error_log; ++ ++ long max_input_vars; ++ + }; + + -- cgit v1.2.3