security update to php-5.6.18, fixes include crashes, integer overflows,

and updating the bundled pcre (also security fixes). add patches to use arc4random_buf instead of /dev/urandom (which is typically not available on a normal OpenBSD php installation, with very bad fallbacks in some cases). testing of arc4random bits from martijn@, ok robert@
2016-02-06 23:30:25 +00:00 · 2016-02-06 23:30:25 +00:00 · 1c71c809e0
commit 1c71c809e0
parent ee2a034ac7
7 changed files with 126 additions and 5 deletions
--- a/lang/php/5.6/Makefile
+++ b/lang/php/5.6/Makefile
@ -1,8 +1,7 @@
-# $OpenBSD: Makefile,v 1.24 2016/02/01 21:53:06 sthen Exp $
+# $OpenBSD: Makefile,v 1.25 2016/02/06 23:30:25 sthen Exp $

 PV=		5.6
-V=		${PV}.17
-REVISION=	0
+V=		${PV}.18

 WANTLIB-main+=		stdc++ ncurses readline

--- a/lang/php/5.6/distinfo
+++ b/lang/php/5.6/distinfo
@ -1,4 +1,4 @@
-SHA256 (php-5.6.17.tar.bz2) = d7RfVqHmPnW7IrQs+4tDjsQIPFnOd0tNfBaFVEt63Ts=
+SHA256 (php-5.6.18.tar.bz2) = w81KKalWIwnTbisShAfW6qXH3eWQ0rGkZEVzg+UX9O0=
 SHA256 (suhosin-0.9.38.tar.gz) = wC12xOfOd3kQo3wYGBy2f9npDv4BB/6rPeMTG1+JvOo=
-SIZE (php-5.6.17.tar.bz2) = 14072840
+SIZE (php-5.6.18.tar.bz2) = 14094993
 SIZE (suhosin-0.9.38.tar.gz) = 122800
--- a/lang/php/5.6/patches/patch-Zend_zend_alloc_c
+++ b/lang/php/5.6/patches/patch-Zend_zend_alloc_c
@ -0,0 +1,26 @@
+$OpenBSD: patch-Zend_zend_alloc_c,v 1.1 2016/02/06 23:30:25 sthen Exp $
+
+Apparently not enabled by default, and currently a bit close to release to
+try doing so, but for something in #ifdef MM_HEAP_PROTECTION, you want more
+than rand()^getpid() when /dev/urandom is inaccessible, right?
+
+--- Zend/zend_alloc.c.orig.port	Mon Feb  1 23:04:02 2016
+++ Zend/zend_alloc.c	Mon Feb  1 23:34:27 2016
+@@ -976,6 +976,9 @@ static void zend_mm_free_cache(zend_mm_heap *heap)
+ #if ZEND_MM_HEAP_PROTECTION || ZEND_MM_COOKIES
+ static void zend_mm_random(unsigned char *buf, size_t size) /* {{{ */
+ {
+#if defined(__OpenBSD__)
+	arc4random_buf(buf, size);
+#else
+ 	size_t i = 0;
+ 	unsigned char t;
+ 
+@@ -1031,6 +1034,7 @@ static void zend_mm_random(unsigned char *buf, size_t 
+ 		} while (buf[i] == 0);
+ 		t = buf[i++] << 1;
+     }
+#endif /* openbsd */
+ }
+ /* }}} */
+ #endif
--- a/lang/php/5.6/patches/patch-ext_mcrypt_mcrypt_c
+++ b/lang/php/5.6/patches/patch-ext_mcrypt_mcrypt_c
@ -0,0 +1,26 @@
+$OpenBSD: patch-ext_mcrypt_mcrypt_c,v 1.1 2016/02/06 23:30:25 sthen Exp $
+
+mcrypt IV creation. no /dev/{u,}random? yes, it is using the last hunk.
+
+--- ext/mcrypt/mcrypt.c.orig.port	Mon Feb  1 23:04:02 2016
+++ ext/mcrypt/mcrypt.c	Mon Feb  1 23:42:21 2016
+@@ -1436,6 +1436,11 @@ PHP_FUNCTION(mcrypt_create_iv)
+ 	}
+ 	
+ 	iv = ecalloc(size + 1, 1);
+
+#if defined(__OpenBSD__)
+		arc4random_buf(iv, (size_t) size);
+		n = size;
+#else
+ 	
+ 	if (source == RANDOM || source == URANDOM) {
+ #if PHP_WIN32
+@@ -1481,6 +1486,7 @@ PHP_FUNCTION(mcrypt_create_iv)
+ 			iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ 		}
+ 	}
+#endif /* openbsd */
+ 	RETURN_STRINGL(iv, n, 0);
+ }
+ /* }}} */
--- a/lang/php/5.6/patches/patch-ext_session_session_c
+++ b/lang/php/5.6/patches/patch-ext_session_session_c
@ -0,0 +1,19 @@
+$OpenBSD: patch-ext_session_session_c,v 1.1 2016/02/06 23:30:25 sthen Exp $
+
+Perhaps the whole function can be replaced, but we have to start somewhere.
+
+--- ext/session/session.c.orig.port	Mon Feb  1 23:04:02 2016
+++ ext/session/session.c	Mon Feb  1 23:48:25 2016
+@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
+ 	efree(buf);
+ 
+ 	if (PS(entropy_length) > 0) {
+-#ifdef PHP_WIN32
+#if defined(__OpenBSD__)
+		unsigned char rbuf[2048];
+		size_t toread = PS(entropy_length);
+		arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
+#elif defined(PHP_WIN32)
+ 		unsigned char rbuf[2048];
+ 		size_t toread = PS(entropy_length);
+ 
--- a/lang/php/5.6/patches/patch-ext_standard_password_c
+++ b/lang/php/5.6/patches/patch-ext_standard_password_c
@ -0,0 +1,21 @@
+$OpenBSD: patch-ext_standard_password_c,v 1.1 2016/02/06 23:30:25 sthen Exp $
+--- ext/standard/password.c.orig.port	Mon Feb  1 23:04:02 2016
+++ ext/standard/password.c	Mon Feb  1 23:51:51 2016
+@@ -124,6 +124,9 @@ static int php_password_make_salt(size_t length, char 
+ 
+ 	buffer = (char *) safe_emalloc(raw_length, 1, 1);
+ 
+#if defined(__OpenBSD__)
+	arc4random_buf(buffer, raw_length);
+#else
+ #if PHP_WIN32
+ 	{
+ 		BYTE *iv_b = (BYTE *) buffer;
+@@ -156,6 +159,7 @@ static int php_password_make_salt(size_t length, char 
+ 			buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ 		}
+ 	}
+#endif /* openbsd */
+ 
+ 	result = safe_emalloc(length, 1, 1); 
+ 	if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) {
--- a/lang/php/5.6/patches/patch-ext_suhosin_execute_c
+++ b/lang/php/5.6/patches/patch-ext_suhosin_execute_c
@ -0,0 +1,30 @@
+$OpenBSD: patch-ext_suhosin_execute_c,v 1.1 2016/02/06 23:30:25 sthen Exp $
+--- ext/suhosin/execute.c.orig.port	Mon Feb  1 23:04:02 2016
+++ ext/suhosin/execute.c	Mon Feb  1 23:38:49 2016
+@@ -1312,6 +1312,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
+  */
+ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
+ {
+#if defined(__OpenBSD__)
+    arc4random_buf(entropybuf, 8 * sizeof(php_uint32));
+#else
+     php_uint32 seedbuf[20];
+     /* On a modern OS code, stack and heap base are randomized */
+     unsigned long code_value  = (unsigned long)suhosin_gen_entropy;
+@@ -1335,7 +1338,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+ #endif
+     seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C);
+ 
+-#ifndef PHP_WIN32
+#if !defined(PHP_WIN32)
+     fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
+     if (fd >= 0) {
+         /* ignore error case - if urandom doesn't give us any/enough random bytes */
+@@ -1354,6 +1357,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+         suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey)));
+     }
+     suhosin_SHA256Final((void *)entropybuf, &context);
+#endif /* openbsd */
+ }
+ /* }}} */
+