security fixes

PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfourtunately there are several flaws in the php_mime_split function that could be used by an attacker to execute arbitrary code. - broken boundary check - arbitrary heap overflow -- Ok'd by: maintainer
2002-02-27 16:31:59 +00:00 · 2002-02-27 16:31:59 +00:00 · 53bf90fee3
commit 53bf90fee3
parent 0c162d2650
2 changed files with 29 additions and 4 deletions
--- a/www/php3/Makefile
+++ b/www/php3/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.41 2001/11/19 01:38:58 brad Exp $
+# $OpenBSD: Makefile,v 1.42 2002/02/27 16:31:59 brad Exp $

 COMMENT=	"server-side HTML-embedded scripting language"

@ -6,10 +6,11 @@ COMMENT=	"server-side HTML-embedded scripting language"
 # and has Apache that supports DSO's.
 ONLY_FOR_ARCHS=	i386 m68k sparc

-DISTNAME=	php-3.0.18
-PKGNAME=	php3-3.0.18
+VERSION=	3.0.18
+DISTNAME=	php-${VERSION}
+PKGNAME=	php3-${VERSION}p2
 CATEGORIES=	www lang
-NEED_VERSION=	1.489
+NEED_VERSION=	1.500

 HOMEPAGE=	http://www.php.net/

--- a/www/php3/patches/patch-functions_mime_c
+++ b/www/php3/patches/patch-functions_mime_c
@ -0,0 +1,24 @@
+$OpenBSD: patch-functions_mime_c,v 1.1 2002/02/27 16:31:59 brad Exp $
+--- functions/mime.c.orig	Mon Oct 16 21:30:59 2000
+++ functions/mime.c	Wed Feb 27 10:12:11 2002
+@@ -85,7 +85,9 @@ void php3_mime_split(char *buf, int cnt,
+ 					SAFE_RETURN;
+ 				}
+ 				loc = memchr(ptr, '\n', rem);
+				rem -= loc - ptr;
+ 				name = strstr(ptr, " name=");
+				ptr = loc;
+ 				if (name && name < loc) {
+ 					name += 6;
+ 					s = memchr(name, '\"', loc - name);
+@@ -138,6 +140,10 @@ void php3_mime_split(char *buf, int cnt,
+ 						sprintf(lbuf, "%s_name[]", abuf);
+ 						sbuf=estrdup(abuf);
+ 					} else {
+						if (abuf) {
+							efree(abuf);
+							abuf = NULL;
+						}
+ 						sprintf(lbuf, "%s_name", namebuf);
+ 						sbuf=estrdup(namebuf);
+ 					}