From rea-fbsd@codelabs.ru  Tue Nov 18 10:34:35 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 82E74106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Nov 2008 10:34:35 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id B319A8FC13
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Nov 2008 10:34:34 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L2Nuj-0000ma-Gs for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 13:34:33 +0300
Received: by shadow.codelabs.ru (Postfix, from userid 1001)
	id 38D5817115; Tue, 18 Nov 2008 13:34:33 +0300 (MSK)
Message-Id: <20081118103433.38D5817115@shadow.codelabs.ru>
Date: Tue, 18 Nov 2008 13:34:33 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
X-Send-Pr-Version: 3.113
X-GNATS-Notify: freebsd-security@freebsd.org, ale@freebsd.org

>Number:         128956
>Category:       ports
>Synopsis:       [patch] [vuxml] lang/php5 - multiple vulnerabilities in PHP 5.2.6
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 18 10:40:00 UTC 2008
>Closed-Date:    Sun Dec 07 12:14:36 UTC 2008
>Last-Modified:  Sun Dec 07 12:14:36 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

There are some vulnerabilities in the stock PHP 5.2.6 that were silently
fixed in the CVS, but after 5.2.6 was out.

>How-To-Repeat:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660

>Fix:

The following patches should fix all three issues.  I had mildly
tested them in my setups.
--- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here ---
diff -urN ./Makefile ../php5/Makefile
--- ./Makefile	2008-11-18 11:49:16.000000000 +0300
+++ ../php5/Makefile	2008-11-18 11:49:27.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	php5
 PORTVERSION=	5.2.6
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES?=	lang devel www
 MASTER_SITES=	${MASTER_SITE_PHP}
 MASTER_SITE_SUBDIR=	distributions
diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659
--- ./files/patch-CVE-2008-3659	1970-01-01 03:00:00.000000000 +0300
+++ ../php5/files/patch-CVE-2008-3659	2008-11-18 11:49:55.000000000 +0300
@@ -0,0 +1,27 @@
+Patch for CVE-2008-3659.
+
+Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+See also: http://news.php.net/php.cvs/52002
+See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
+
+--- Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
++++ Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
+@@ -17,7 +17,7 @@
+    +----------------------------------------------------------------------+
+ */
+ 
+-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */
++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */
+ 
+ #ifndef ZEND_OPERATORS_H
+ #define ZEND_OPERATORS_H
+@@ -220,6 +220,9 @@
+ 	char *p = haystack;
+ 	char ne = needle[needle_len-1];
+ 
++	if(needle_len > end-haystack) {
++		return NULL;
++	}
+ 	end -= needle_len;
+ 
+ 	while (p <= end) {
diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660
--- ./files/patch-CVE-2008-3660	1970-01-01 03:00:00.000000000 +0300
+++ ../php5/files/patch-CVE-2008-3660	2008-11-18 12:15:23.000000000 +0300
@@ -0,0 +1,82 @@
+Patch for CVE-2008-3660
+
+Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch
+See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
+See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987
+Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6
+
+--- sapi/cgi/cgi_main.c.orig	2008-04-09 13:16:40.000000000 +0400
++++ sapi/cgi/cgi_main.c	2008-11-18 12:08:10.000000000 +0300
+@@ -765,6 +765,39 @@
+ }
+ /* }}} */
+ 
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path.   We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++	const char *p;
++
++	if (!path) {
++		return 0;
++	}
++	p = strstr(path, "..");
++	if (p) {
++		if ((p == path || IS_SLASH(*(p-1))) &&
++		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++			return 0;
++		}
++		while (1) {
++			p = strstr(p+1, "..");
++			if (!p) {
++				break;
++			}
++			if (IS_SLASH(*(p-1)) &&
++			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++					return 0;
++			}
++		}
++	}
++	return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+ 
+   initializes request_info structure
+@@ -1061,9 +1094,7 @@
+ 				if (pt) {
+ 					efree(pt);
+ 				}
+-				/* some server configurations allow '..' to slip through in the
+-				   translated path.   We'll just refuse to handle such a path. */
+-				if (script_path_translated && !strstr(script_path_translated, "..")) {
++				if (is_valid_path(script_path_translated)) {
+ 					SG(request_info).path_translated = estrdup(script_path_translated);
+ 				}
+ 			} else {
+@@ -1094,9 +1125,7 @@
+ 				} else {
+ 					SG(request_info).request_uri = env_script_name;
+ 				}
+-				/* some server configurations allow '..' to slip through in the
+-				   translated path.   We'll just refuse to handle such a path. */
+-				if (script_path_translated && !strstr(script_path_translated, "..")) {
++				if (is_valid_path(script_path_translated)) {
+ 					SG(request_info).path_translated = estrdup(script_path_translated);
+ 				}
+ 				free(real_path);
+@@ -1114,9 +1143,7 @@
+ 				script_path_translated = env_path_translated;
+ 			}
+ #endif
+-			/* some server configurations allow '..' to slip through in the
+-			   translated path.   We'll just refuse to handle such a path. */
+-			if (script_path_translated && !strstr(script_path_translated, "..")) {
++			if (is_valid_path(script_path_translated)) {
+ 				SG(request_info).path_translated = estrdup(script_path_translated);
+ 			}
+ #if ENABLE_PATHINFO_CHECK
--- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here ---

--- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here ---
diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829
--- ./files/patch-CVE-2008-2829	1970-01-01 03:00:00.000000000 +0300
+++ ../php5-imap/files/patch-CVE-2008-2829	2008-11-18 13:20:19.000000000 +0300
@@ -0,0 +1,282 @@
+Fix for CVE-2008-2829
+
+Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch
+Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked
+       '-3213,7 +3214,7'.
+
+--- php_imap.c.orig	2008-04-17 15:04:49.000000000 +0400
++++ php_imap.c	2008-11-18 13:03:02.000000000 +0300
+@@ -40,6 +40,7 @@
+ #include "ext/standard/php_string.h"
+ #include "ext/standard/info.h"
+ #include "ext/standard/file.h"
++#include "ext/standard/php_smart_str.h"
+ 
+ #ifdef ERROR
+ #undef ERROR
+@@ -66,10 +67,11 @@
+ #define SENDBUFLEN 16385
+ #endif
+ 
++
+ static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
+ static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
+-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC);
+-static int _php_imap_address_size(ADDRESS *addresslist);
++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC);
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC);
+ 
+ /* the gets we use */
+ static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md);
+@@ -2109,7 +2111,7 @@
+ {
+ 	zval **mailbox, **host, **personal;
+ 	ADDRESS *addr;
+-	char string[MAILTMPLEN];
++	char *string;
+ 
+ 	if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) {
+ 		ZEND_WRONG_PARAM_COUNT();
+@@ -2137,13 +2139,12 @@
+ 	addr->error=NIL;
+ 	addr->adl=NIL;
+ 
+-	if (_php_imap_address_size(addr) >= MAILTMPLEN) {
++	string = _php_rfc822_write_address(addr TSRMLS_CC);
++	if (string) {
++		RETVAL_STRING(string, 0);
++	} else {
+ 		RETURN_FALSE;
+ 	}
+-
+-	string[0]='\0';
+-	rfc822_write_address(string, addr);
+-	RETVAL_STRING(string, 1);
+ }
+ /* }}} */
+ 
+@@ -2873,7 +2874,7 @@
+  	zval **streamind, **sequence, **pflags;
+ 	pils *imap_le_struct;
+ 	zval *myoverview;
+-	char address[MAILTMPLEN];
++	char *address;
+ 	long status, flags=0L;
+ 	int myargc = ZEND_NUM_ARGS();
+ 	
+@@ -2908,17 +2909,19 @@
+ 				if (env->subject) {
+ 					add_property_string(myoverview, "subject", env->subject, 1);
+ 				}
+-				if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) {
++				if (env->from) {
+ 					env->from->next=NULL;
+-					address[0] = '\0';
+-					rfc822_write_address(address, env->from);
+-					add_property_string(myoverview, "from", address, 1);
++					address =_php_rfc822_write_address(env->from TSRMLS_CC);
++					if (address) {
++						add_property_string(myoverview, "from", address, 0);
++					}
+ 				}
+-				if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) {
++				if (env->to) {
+ 					env->to->next = NULL;
+-					address[0] = '\0';
+-					rfc822_write_address(address, env->to);
+-					add_property_string(myoverview, "to", address, 1);
++					address = _php_rfc822_write_address(env->to TSRMLS_CC);
++					if (address) {
++						add_property_string(myoverview, "to", address, 0);
++					}
+ 				}
+ 				if (env->date) {
+ 					add_property_string(myoverview, "date", env->date, 1);
+@@ -3858,6 +3861,43 @@
+ /* }}} */
+ 
+ /* Support Functions */
++
++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST
++/* {{{ _php_rfc822_soutr
++ */
++static long _php_rfc822_soutr (void *stream, char *string)
++{
++	smart_str *ret = (smart_str*)stream;
++	int len = strlen(string);
++
++	smart_str_appendl(ret, string, len);	
++	return LONGT;
++}
++
++/* }}} */
++
++/* {{{ _php_rfc822_write_address
++ */
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
++{
++	char address[MAILTMPLEN];
++	smart_str ret = {0};
++	RFC822BUFFER buf;
++
++	buf.beg = address;
++	buf.cur = buf.beg;
++	buf.end = buf.beg + sizeof(address) - 1;
++	buf.s = &ret;
++	buf.f = _php_rfc822_soutr;
++	rfc822_output_address_list(&buf, addresslist, 0, NULL);
++	rfc822_output_flush(&buf);
++	smart_str_0(&ret);
++	return ret.c;
++}
++/* }}} */
++
++#else
++
+ /* {{{ _php_imap_get_address_size
+  */
+ static int _php_imap_address_size (ADDRESS *addresslist)
+@@ -3887,26 +3927,33 @@
+ 
+ /* }}} */
+ 
++/* {{{ _php_rfc822_write_address
++ */
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
++{
++	char address[SENDBUFLEN];
+ 
++	if (_php_imap_address_size(addresslist) >= SENDBUFLEN) {
++		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow");
++		return NULL;
++	}
++	address[0] = 0;
++	rfc822_write_address(address, addresslist);
++	return estrdup(address);
++}
++/* }}} */
++#endif
+ /* {{{ _php_imap_parse_address
+  */
+-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC)
++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC)
+ {
++	char *fulladdress;
+ 	ADDRESS *addresstmp;
+ 	zval *tmpvals;
+-	char *tmpstr;
+-	int len=0;
+ 		
+ 	addresstmp = addresslist;
+ 
+-	if ((len = _php_imap_address_size(addresstmp))) {
+-		tmpstr = (char *) pemalloc(len + 1, 1);
+-		tmpstr[0] = '\0';
+-		rfc822_write_address(tmpstr, addresstmp);
+-		*fulladdress = tmpstr;
+-	} else {
+-		*fulladdress = NULL;
+-	}
++	fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC);
+ 	
+ 	addresstmp = addresslist;
+ 	do {
+@@ -3918,6 +3965,7 @@
+ 		if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1);
+ 		add_next_index_object(paddress, tmpvals TSRMLS_CC);
+ 	} while ((addresstmp = addresstmp->next));
++	return fulladdress;
+ }
+ /* }}} */
+ 
+@@ -3944,10 +3992,9 @@
+ 	if (en->to) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "toaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "toaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "to", paddress TSRMLS_CC);
+ 	}
+@@ -3955,10 +4002,9 @@
+ 	if (en->from) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "fromaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "fromaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "from", paddress TSRMLS_CC);
+ 	}
+@@ -3966,10 +4012,9 @@
+ 	if (en->cc) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "ccaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "ccaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC);
+ 	}
+@@ -3977,10 +4022,9 @@
+ 	if (en->bcc) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "bccaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "bccaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC);
+ 	}
+@@ -3988,10 +4032,9 @@
+ 	if (en->reply_to) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "reply_toaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "reply_toaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC);
+ 	}
+@@ -3999,10 +4042,9 @@
+ 	if (en->sender) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "senderaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "senderaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC);
+ 	}
+@@ -4010,10 +4052,9 @@
+ 	if (en->return_path) {
+ 		MAKE_STD_ZVAL(paddress);
+ 		array_init(paddress);
+-		_php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC);
++		fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC);
+ 		if (fulladdress) {
+-			add_property_string(myzvalue, "return_pathaddress", fulladdress, 1);
+-			free(fulladdress);
++			add_property_string(myzvalue, "return_pathaddress", fulladdress, 0);
+ 		}
+ 		add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC);
+ 	}
--- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here ---

I assume that they all will go in one shot, so the following VuXML
entries use 5.2.6_3 as the first version where issues were fixed.
--- cve-2008-2829.xml begins here ---
  <vuln vid="">
    <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic>
    <affects>
      <package>
	<name>php5-imap</name>
	<range><lt>5.2.6_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Entry for CVE-2008-2829 says:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">
	<p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses
	obsolete API calls that allow context-dependent attackers to
	cause a denial of service (crash) and possibly execute arbitrary
	code via a long IMAP request, which triggers an "rfc822.c legacy
	routine buffer overflow" error message.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-2829</cvename>
      <url>http://bugs.php.net/bug.php?id=42862</url>
      <url>http://bugs.php.net/bug.php?id=40925</url>
      <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url>
    </references>
    <dates>
      <discovery>2008-06-19</discovery>
    </dates>
  </vuln>
--- cve-2008-2829.xml ends here ---

--- cve-2008-3659.xml begins here ---
  <vuln vid="">
    <topic>PHP 5.x -- buffer overflow in the memnstr()</topic>
    <affects>
      <package>
	<name>php5</name>
	<range><lt>5.2.6_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Entry for CVE-2008-3659 says:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">
	<p>Buffer overflow in the memnstr function in PHP 4.4.x before
	4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent
	attackers to cause a denial of service (crash) and possibly
	execute arbitrary code via the delimiter argument to the explode
	function.</p>
	<p>NOTE: the scope of this issue is limited since most
	applications would not use an attacker-controlled delimiter, but
	local attacks against safe_mode are feasible.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-3659</cvename>
      <url>http://news.php.net/php.cvs/52002</url>
      <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url>
    </references>
    <dates>
      <discovery>2008-08-05</discovery>
    </dates>
  </vuln>
--- cve-2008-3659.xml ends here ---

--- cve-2008-3660.xml begins here ---
  <vuln vid="">
    <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic>
    <affects>
      <package>
	<name>php5</name>
	<range><lt>5.2.6_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Entry for CVE-2008-3660 says:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">
	<p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used
	as a FastCGI module, allows remote attackers to cause a denial
	of service (crash) via a request with multiple dots preceding
	the extension, as demonstrated using foo..php.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-3660</cvename>
      <url>http://news.php.net/php.cvs/51129</url>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url>
    </references>
    <dates>
      <discovery>2008-07-15</discovery>
    </dates>
  </vuln>
--- cve-2008-3660.xml ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Tue Nov 18 11:50:28 UTC 2008 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Jille Timmermans <jille@quis.cx>
Cc: bug-followup@freebsd.org, freebsd-security@freebsd.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
	5.2.6
Date: Tue, 18 Nov 2008 15:29:08 +0300

 --J5MfuwkIyy7RmF4Q
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Jille, good day.
 
 Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote:
 > I think there is a typo in the vuxml descriptions:
 >  "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6"
 > (PHP 5.6 doesn't exist (yet))
 
 Yes: it was written in that way at the CVE entry.  I had spotted this,
 but was not sure how to handle this.  Perhaps VuXML entry should really
 say "PHP 5.2 through 5.2.6" to avoid reader's confusion.
 
 Thanks for spotting this!
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --J5MfuwkIyy7RmF4Q
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkkitRQACgkQthUKNsbL7YgwgwCeMZynRWEuKNm1tJG2SLfqKfqr
 Ld8An3bQ4SXfBGxvX/Q7HRQd+5wNf3os
 =cIPL
 -----END PGP SIGNATURE-----
 
 --J5MfuwkIyy7RmF4Q--

From: Jille Timmermans <jille@quis.cx>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-security@freebsd.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
Date: Tue, 18 Nov 2008 13:22:09 +0100

 I think there is a typo in the vuxml descriptions:
  "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6"
 (PHP 5.6 doesn't exist (yet))
 
 -- Jille
 
 Eygene Ryabinkin wrote:
 >> Number:         128956
 >> Category:       ports
 >> Synopsis:       [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
 >> Confidential:   no
 >> Severity:       serious
 >> Priority:       high
 >> Responsible:    freebsd-ports-bugs
 >> State:          open
 >> Quarter:        
 >> Keywords:       
 >> Date-Required:
 >> Class:          sw-bug
 >> Submitter-Id:   current-users
 >> Arrival-Date:   Tue Nov 18 10:40:00 UTC 2008
 >> Closed-Date:
 >> Last-Modified:
 >> Originator:     Eygene Ryabinkin
 >> Release:        FreeBSD 7.1-PRERELEASE amd64
 >> Organization:
 >>     
 > Code Labs
 >   
 >> Environment:
 >>     
 >
 > System: FreeBSD 7.1-PRERELEASE amd64
 >
 >   
 >> Description:
 >>     
 >
 > There are some vulnerabilities in the stock PHP 5.2.6 that were silently
 > fixed in the CVS, but after 5.2.6 was out.
 >
 >   
 >> How-To-Repeat:
 >>     
 >
 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
 >
 >   
 >> Fix:
 >>     
 >
 > The following patches should fix all three issues.  I had mildly
 > tested them in my setups.
 > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here ---
 > diff -urN ./Makefile ../php5/Makefile
 > --- ./Makefile	2008-11-18 11:49:16.000000000 +0300
 > +++ ../php5/Makefile	2008-11-18 11:49:27.000000000 +0300
 > @@ -7,7 +7,7 @@
 >  
 >  PORTNAME=	php5
 >  PORTVERSION=	5.2.6
 > -PORTREVISION?=	2
 > +PORTREVISION?=	3
 >  CATEGORIES?=	lang devel www
 >  MASTER_SITES=	${MASTER_SITE_PHP}
 >  MASTER_SITE_SUBDIR=	distributions
 > diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659
 > --- ./files/patch-CVE-2008-3659	1970-01-01 03:00:00.000000000 +0300
 > +++ ../php5/files/patch-CVE-2008-3659	2008-11-18 11:49:55.000000000 +0300
 > @@ -0,0 +1,27 @@
 > +Patch for CVE-2008-3659.
 > +
 > +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
 > +See also: http://news.php.net/php.cvs/52002
 > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
 > +
 > +--- Zend/zend_operators.h	2007/12/31 07:20:03	1.94.2.4.2.11
 > ++++ Zend/zend_operators.h	2008/08/05 20:11:17	1.94.2.4.2.12
 > +@@ -17,7 +17,7 @@
 > +    +----------------------------------------------------------------------+
 > + */
 > + 
 > +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */
 > ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */
 > + 
 > + #ifndef ZEND_OPERATORS_H
 > + #define ZEND_OPERATORS_H
 > +@@ -220,6 +220,9 @@
 > + 	char *p = haystack;
 > + 	char ne = needle[needle_len-1];
 > + 
 > ++	if(needle_len > end-haystack) {
 > ++		return NULL;
 > ++	}
 > + 	end -= needle_len;
 > + 
 > + 	while (p <= end) {
 > diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660
 > --- ./files/patch-CVE-2008-3660	1970-01-01 03:00:00.000000000 +0300
 > +++ ../php5/files/patch-CVE-2008-3660	2008-11-18 12:15:23.000000000 +0300
 > @@ -0,0 +1,82 @@
 > +Patch for CVE-2008-3660
 > +
 > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch
 > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
 > +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987
 > +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6
 > +
 > +--- sapi/cgi/cgi_main.c.orig	2008-04-09 13:16:40.000000000 +0400
 > ++++ sapi/cgi/cgi_main.c	2008-11-18 12:08:10.000000000 +0300
 > +@@ -765,6 +765,39 @@
 > + }
 > + /* }}} */
 > + 
 > ++/* {{{ is_valid_path
 > ++ *
 > ++ * some server configurations allow '..' to slip through in the
 > ++ * translated path.   We'll just refuse to handle such a path.
 > ++ */
 > ++static int is_valid_path(const char *path)
 > ++{
 > ++	const char *p;
 > ++
 > ++	if (!path) {
 > ++		return 0;
 > ++	}
 > ++	p = strstr(path, "..");
 > ++	if (p) {
 > ++		if ((p == path || IS_SLASH(*(p-1))) &&
 > ++		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
 > ++			return 0;
 > ++		}
 > ++		while (1) {
 > ++			p = strstr(p+1, "..");
 > ++			if (!p) {
 > ++				break;
 > ++			}
 > ++			if (IS_SLASH(*(p-1)) &&
 > ++			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
 > ++					return 0;
 > ++			}
 > ++		}
 > ++	}
 > ++	return 1;
 > ++}
 > ++/* }}} */
 > ++
 > + /* {{{ init_request_info
 > + 
 > +   initializes request_info structure
 > +@@ -1061,9 +1094,7 @@
 > + 				if (pt) {
 > + 					efree(pt);
 > + 				}
 > +-				/* some server configurations allow '..' to slip through in the
 > +-				   translated path.   We'll just refuse to handle such a path. */
 > +-				if (script_path_translated && !strstr(script_path_translated, "..")) {
 > ++				if (is_valid_path(script_path_translated)) {
 > + 					SG(request_info).path_translated = estrdup(script_path_translated);
 > + 				}
 > + 			} else {
 > +@@ -1094,9 +1125,7 @@
 > + 				} else {
 > + 					SG(request_info).request_uri = env_script_name;
 > + 				}
 > +-				/* some server configurations allow '..' to slip through in the
 > +-				   translated path.   We'll just refuse to handle such a path. */
 > +-				if (script_path_translated && !strstr(script_path_translated, "..")) {
 > ++				if (is_valid_path(script_path_translated)) {
 > + 					SG(request_info).path_translated = estrdup(script_path_translated);
 > + 				}
 > + 				free(real_path);
 > +@@ -1114,9 +1143,7 @@
 > + 				script_path_translated = env_path_translated;
 > + 			}
 > + #endif
 > +-			/* some server configurations allow '..' to slip through in the
 > +-			   translated path.   We'll just refuse to handle such a path. */
 > +-			if (script_path_translated && !strstr(script_path_translated, "..")) {
 > ++			if (is_valid_path(script_path_translated)) {
 > + 				SG(request_info).path_translated = estrdup(script_path_translated);
 > + 			}
 > + #if ENABLE_PATHINFO_CHECK
 > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here ---
 >
 > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here ---
 > diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829
 > --- ./files/patch-CVE-2008-2829	1970-01-01 03:00:00.000000000 +0300
 > +++ ../php5-imap/files/patch-CVE-2008-2829	2008-11-18 13:20:19.000000000 +0300
 > @@ -0,0 +1,282 @@
 > +Fix for CVE-2008-2829
 > +
 > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch
 > +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked
 > +       '-3213,7 +3214,7'.
 > +
 > +--- php_imap.c.orig	2008-04-17 15:04:49.000000000 +0400
 > ++++ php_imap.c	2008-11-18 13:03:02.000000000 +0300
 > +@@ -40,6 +40,7 @@
 > + #include "ext/standard/php_string.h"
 > + #include "ext/standard/info.h"
 > + #include "ext/standard/file.h"
 > ++#include "ext/standard/php_smart_str.h"
 > + 
 > + #ifdef ERROR
 > + #undef ERROR
 > +@@ -66,10 +67,11 @@
 > + #define SENDBUFLEN 16385
 > + #endif
 > + 
 > ++
 > + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
 > + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
 > +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC);
 > +-static int _php_imap_address_size(ADDRESS *addresslist);
 > ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC);
 > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC);
 > + 
 > + /* the gets we use */
 > + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md);
 > +@@ -2109,7 +2111,7 @@
 > + {
 > + 	zval **mailbox, **host, **personal;
 > + 	ADDRESS *addr;
 > +-	char string[MAILTMPLEN];
 > ++	char *string;
 > + 
 > + 	if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) {
 > + 		ZEND_WRONG_PARAM_COUNT();
 > +@@ -2137,13 +2139,12 @@
 > + 	addr->error=NIL;
 > + 	addr->adl=NIL;
 > + 
 > +-	if (_php_imap_address_size(addr) >= MAILTMPLEN) {
 > ++	string = _php_rfc822_write_address(addr TSRMLS_CC);
 > ++	if (string) {
 > ++		RETVAL_STRING(string, 0);
 > ++	} else {
 > + 		RETURN_FALSE;
 > + 	}
 > +-
 > +-	string[0]='\0';
 > +-	rfc822_write_address(string, addr);
 > +-	RETVAL_STRING(string, 1);
 > + }
 > + /* }}} */
 > + 
 > +@@ -2873,7 +2874,7 @@
 > +  	zval **streamind, **sequence, **pflags;
 > + 	pils *imap_le_struct;
 > + 	zval *myoverview;
 > +-	char address[MAILTMPLEN];
 > ++	char *address;
 > + 	long status, flags=0L;
 > + 	int myargc = ZEND_NUM_ARGS();
 > + 	
 > +@@ -2908,17 +2909,19 @@
 > + 				if (env->subject) {
 > + 					add_property_string(myoverview, "subject", env->subject, 1);
 > + 				}
 > +-				if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) {
 > ++				if (env->from) {
 > + 					env->from->next=NULL;
 > +-					address[0] = '\0';
 > +-					rfc822_write_address(address, env->from);
 > +-					add_property_string(myoverview, "from", address, 1);
 > ++					address =_php_rfc822_write_address(env->from TSRMLS_CC);
 > ++					if (address) {
 > ++						add_property_string(myoverview, "from", address, 0);
 > ++					}
 > + 				}
 > +-				if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) {
 > ++				if (env->to) {
 > + 					env->to->next = NULL;
 > +-					address[0] = '\0';
 > +-					rfc822_write_address(address, env->to);
 > +-					add_property_string(myoverview, "to", address, 1);
 > ++					address = _php_rfc822_write_address(env->to TSRMLS_CC);
 > ++					if (address) {
 > ++						add_property_string(myoverview, "to", address, 0);
 > ++					}
 > + 				}
 > + 				if (env->date) {
 > + 					add_property_string(myoverview, "date", env->date, 1);
 > +@@ -3858,6 +3861,43 @@
 > + /* }}} */
 > + 
 > + /* Support Functions */
 > ++
 > ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST
 > ++/* {{{ _php_rfc822_soutr
 > ++ */
 > ++static long _php_rfc822_soutr (void *stream, char *string)
 > ++{
 > ++	smart_str *ret = (smart_str*)stream;
 > ++	int len = strlen(string);
 > ++
 > ++	smart_str_appendl(ret, string, len);	
 > ++	return LONGT;
 > ++}
 > ++
 > ++/* }}} */
 > ++
 > ++/* {{{ _php_rfc822_write_address
 > ++ */
 > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
 > ++{
 > ++	char address[MAILTMPLEN];
 > ++	smart_str ret = {0};
 > ++	RFC822BUFFER buf;
 > ++
 > ++	buf.beg = address;
 > ++	buf.cur = buf.beg;
 > ++	buf.end = buf.beg + sizeof(address) - 1;
 > ++	buf.s = &ret;
 > ++	buf.f = _php_rfc822_soutr;
 > ++	rfc822_output_address_list(&buf, addresslist, 0, NULL);
 > ++	rfc822_output_flush(&buf);
 > ++	smart_str_0(&ret);
 > ++	return ret.c;
 > ++}
 > ++/* }}} */
 > ++
 > ++#else
 > ++
 > + /* {{{ _php_imap_get_address_size
 > +  */
 > + static int _php_imap_address_size (ADDRESS *addresslist)
 > +@@ -3887,26 +3927,33 @@
 > + 
 > + /* }}} */
 > + 
 > ++/* {{{ _php_rfc822_write_address
 > ++ */
 > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
 > ++{
 > ++	char address[SENDBUFLEN];
 > + 
 > ++	if (_php_imap_address_size(addresslist) >= SENDBUFLEN) {
 > ++		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow");
 > ++		return NULL;
 > ++	}
 > ++	address[0] = 0;
 > ++	rfc822_write_address(address, addresslist);
 > ++	return estrdup(address);
 > ++}
 > ++/* }}} */
 > ++#endif
 > + /* {{{ _php_imap_parse_address
 > +  */
 > +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC)
 > ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC)
 > + {
 > ++	char *fulladdress;
 > + 	ADDRESS *addresstmp;
 > + 	zval *tmpvals;
 > +-	char *tmpstr;
 > +-	int len=0;
 > + 		
 > + 	addresstmp = addresslist;
 > + 
 > +-	if ((len = _php_imap_address_size(addresstmp))) {
 > +-		tmpstr = (char *) pemalloc(len + 1, 1);
 > +-		tmpstr[0] = '\0';
 > +-		rfc822_write_address(tmpstr, addresstmp);
 > +-		*fulladdress = tmpstr;
 > +-	} else {
 > +-		*fulladdress = NULL;
 > +-	}
 > ++	fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC);
 > + 	
 > + 	addresstmp = addresslist;
 > + 	do {
 > +@@ -3918,6 +3965,7 @@
 > + 		if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1);
 > + 		add_next_index_object(paddress, tmpvals TSRMLS_CC);
 > + 	} while ((addresstmp = addresstmp->next));
 > ++	return fulladdress;
 > + }
 > + /* }}} */
 > + 
 > +@@ -3944,10 +3992,9 @@
 > + 	if (en->to) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "toaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "toaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "to", paddress TSRMLS_CC);
 > + 	}
 > +@@ -3955,10 +4002,9 @@
 > + 	if (en->from) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "fromaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "fromaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "from", paddress TSRMLS_CC);
 > + 	}
 > +@@ -3966,10 +4012,9 @@
 > + 	if (en->cc) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "ccaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "ccaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC);
 > + 	}
 > +@@ -3977,10 +4022,9 @@
 > + 	if (en->bcc) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "bccaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "bccaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC);
 > + 	}
 > +@@ -3988,10 +4032,9 @@
 > + 	if (en->reply_to) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "reply_toaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "reply_toaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC);
 > + 	}
 > +@@ -3999,10 +4042,9 @@
 > + 	if (en->sender) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "senderaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "senderaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC);
 > + 	}
 > +@@ -4010,10 +4052,9 @@
 > + 	if (en->return_path) {
 > + 		MAKE_STD_ZVAL(paddress);
 > + 		array_init(paddress);
 > +-		_php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC);
 > ++		fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC);
 > + 		if (fulladdress) {
 > +-			add_property_string(myzvalue, "return_pathaddress", fulladdress, 1);
 > +-			free(fulladdress);
 > ++			add_property_string(myzvalue, "return_pathaddress", fulladdress, 0);
 > + 		}
 > + 		add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC);
 > + 	}
 > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here ---
 >
 > I assume that they all will go in one shot, so the following VuXML
 > entries use 5.2.6_3 as the first version where issues were fixed.
 > --- cve-2008-2829.xml begins here ---
 >   <vuln vid="">
 >     <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic>
 >     <affects>
 >       <package>
 > 	<name>php5-imap</name>
 > 	<range><lt>5.2.6_3</lt></range>
 >       </package>
 >     </affects>
 >     <description>
 >       <body xmlns="http://www.w3.org/1999/xhtml">
 > 	<p>Entry for CVE-2008-2829 says:</p>
 > 	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">
 > 	<p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses
 > 	obsolete API calls that allow context-dependent attackers to
 > 	cause a denial of service (crash) and possibly execute arbitrary
 > 	code via a long IMAP request, which triggers an "rfc822.c legacy
 > 	routine buffer overflow" error message.</p>
 > 	</blockquote>
 >       </body>
 >     </description>
 >     <references>
 >       <cvename>CVE-2008-2829</cvename>
 >       <url>http://bugs.php.net/bug.php?id=42862</url>
 >       <url>http://bugs.php.net/bug.php?id=40925</url>
 >       <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url>
 >     </references>
 >     <dates>
 >       <discovery>2008-06-19</discovery>
 >     </dates>
 >   </vuln>
 > --- cve-2008-2829.xml ends here ---
 >
 > --- cve-2008-3659.xml begins here ---
 >   <vuln vid="">
 >     <topic>PHP 5.x -- buffer overflow in the memnstr()</topic>
 >     <affects>
 >       <package>
 > 	<name>php5</name>
 > 	<range><lt>5.2.6_3</lt></range>
 >       </package>
 >     </affects>
 >     <description>
 >       <body xmlns="http://www.w3.org/1999/xhtml">
 > 	<p>Entry for CVE-2008-3659 says:</p>
 > 	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">
 > 	<p>Buffer overflow in the memnstr function in PHP 4.4.x before
 > 	4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent
 > 	attackers to cause a denial of service (crash) and possibly
 > 	execute arbitrary code via the delimiter argument to the explode
 > 	function.</p>
 > 	<p>NOTE: the scope of this issue is limited since most
 > 	applications would not use an attacker-controlled delimiter, but
 > 	local attacks against safe_mode are feasible.</p>
 > 	</blockquote>
 >       </body>
 >     </description>
 >     <references>
 >       <cvename>CVE-2008-3659</cvename>
 >       <url>http://news.php.net/php.cvs/52002</url>
 >       <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url>
 >     </references>
 >     <dates>
 >       <discovery>2008-08-05</discovery>
 >     </dates>
 >   </vuln>
 > --- cve-2008-3659.xml ends here ---
 >
 > --- cve-2008-3660.xml begins here ---
 >   <vuln vid="">
 >     <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic>
 >     <affects>
 >       <package>
 > 	<name>php5</name>
 > 	<range><lt>5.2.6_3</lt></range>
 >       </package>
 >     </affects>
 >     <description>
 >       <body xmlns="http://www.w3.org/1999/xhtml">
 > 	<p>Entry for CVE-2008-3660 says:</p>
 > 	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">
 > 	<p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used
 > 	as a FastCGI module, allows remote attackers to cause a denial
 > 	of service (crash) via a request with multiple dots preceding
 > 	the extension, as demonstrated using foo..php.</p>
 > 	</blockquote>
 >       </body>
 >     </description>
 >     <references>
 >       <cvename>CVE-2008-3660</cvename>
 >       <url>http://news.php.net/php.cvs/51129</url>
 >       <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url>
 >     </references>
 >     <dates>
 >       <discovery>2008-07-15</discovery>
 >     </dates>
 >   </vuln>
 > --- cve-2008-3660.xml ends here ---
 >   
 >> Release-Note:
 >> Audit-Trail:
 >> Unformatted:
 >>     
 > _______________________________________________
 > freebsd-security@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-security
 > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
 >   

From: Jille Timmermans <jille@quis.cx>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
Date: Tue, 18 Nov 2008 13:37:13 +0100

 Good day to you too,
 
 "PHP 5.2 through 5.2.6" makes the most sense.
 However, "PHP 5.1 through" or even "PHP 5 through" are also possible.
 I don't know much about CVE's; can we provide them feedback for this typo ?
 
 I think the best is to wait for the CVE to get fixed and fix it in the vuxml entry afterwards.
 I think you also had that plan ;)
 
 -- Jille
 
 
 Eygene Ryabinkin wrote:
 > Jille, good day.
 >
 > Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote:
 >   
 >> I think there is a typo in the vuxml descriptions:
 >>  "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6"
 >> (PHP 5.6 doesn't exist (yet))
 >>     
 >
 > Yes: it was written in that way at the CVE entry.  I had spotted this,
 > but was not sure how to handle this.  Perhaps VuXML entry should really
 > say "PHP 5.2 through 5.2.6" to avoid reader's confusion.
 >
 > Thanks for spotting this!
 >   

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Jille Timmermans <jille@quis.cx>, cve@mitre.org, coley@mitre.org
Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
	5.2.6
Date: Tue, 18 Nov 2008 17:04:29 +0300

 --7cm2iqirTL37Ot+N
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Steven, CVE-supporters, good day.
 
 Today I was submitted FreeBSD's VuXML entry for CVE-2008-3659 and it
 seem to be errorneously saying about "PHP 5.6".  Could you please try to
 follow the discuission and say something about the entry's description
 text?
 
 Tue, Nov 18, 2008 at 01:37:13PM +0100, Jille Timmermans wrote:
 > "PHP 5.2 through 5.2.6" makes the most sense.
 > However, "PHP 5.1 through" or even "PHP 5 through" are also possible.
 
 I had glanced over the PHP's CVS repository: the code in question exists
 even for the PHP 5.0 branchpoint (source line 128 and below):
   http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?revision=3D1.8=
 8&view=3Dmarkup&pathrev=3DPHP_5_0
 
 My built-in history tracer tells me the following story:
 
 1. Current code traces back to the zend_operators.h, rev 1.72,
    http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?view=3Dlog#re=
 v1.72
 
 2. The function was moved to ZendEngine2/zend_operators.h from
    ext/standard/php_string.h, rev 1.74,
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?view=3Dl=
 og#rev1.74
 
 3. Vulnerable code seem to be here since rev 1.40:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?r1=3D1.3=
 9&r2=3D1.40&view=3Dpatch
 
 So the issue seem to be here since some 4.0.x or even 3.x.
 
 > I don't know much about CVE's; can we provide them feedback for this typo=
  ?
 >
 > I think the best is to wait for the CVE to get fixed and fix it
 > in the vuxml entry afterwards.
 
 Yes, it will be the best thing.  So, gentlemen from the CVE maintainers
 team, it seems that the entry for the CVE-2008-3659 should be fixed by
 saying "PHP 5 through 5.2.6" -- the bug seem to be existed all over the
 lifetime for the 5.x branch.
 
 > I think you also had that plan ;)
 
 Sort of ;))
 
 Thanks to everyone!
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --7cm2iqirTL37Ot+N
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkkiy20ACgkQthUKNsbL7Yi4PwCfQ1n6v3nAn72NdSfacmsViTIN
 vKMAn120byLkVy96wnH1WxvkYSA30xiv
 =6RCr
 -----END PGP SIGNATURE-----
 
 --7cm2iqirTL37Ot+N--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: Jille Timmermans <jille@quis.cx>, cve@mitre.org, coley@mitre.org,
	freebsd-security@freebsd.org, bug-followup@freebsd.org,
	mloveless@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
	5.2.6
Date: Tue, 18 Nov 2008 18:53:07 +0300

 --CxDuMX1Cv2n9FQfo
 Content-Type: multipart/mixed; boundary="o7gdRJTuwFmWapyH"
 Content-Disposition: inline
 
 
 --o7gdRJTuwFmWapyH
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Steven,
 
 Tue, Nov 18, 2008 at 10:01:20AM -0500, Steven M. Christey wrote:
 > On Tue, 18 Nov 2008, Eygene Ryabinkin wrote:
 > It's pretty clear that the description was a typo.  It doesn't follow our
 > typical CVE description style of escalating versions when we list version
 > ranges.  Most likely I introduced this typo in the original description.
 >=20
 > I've internally changed it to "5.x through 5.2.6."  This will show up on
 > the public CVE web site within a day or two.
 
 OK, thanks a lot!
 
 So, the VuXML entry should be changed accordingly.  New content is
 attached.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --o7gdRJTuwFmWapyH
 Content-Type: application/xml
 Content-Disposition: attachment; filename="vuln.xml"
 Content-Transfer-Encoding: quoted-printable
 
   <vuln vid=3D"">=0A    <topic>PHP 5.x -- buffer overflow in the memnstr()<=
 /topic>=0A    <affects>=0A      <package>=0A	<name>php5</name>=0A	<range><l=
 t>5.2.6_3</lt></range>=0A      </package>=0A    </affects>=0A    <descripti=
 on>=0A      <body xmlns=3D"http://www.w3.org/1999/xhtml">=0A	<p>Entry for C=
 VE-2008-3659 says:</p>=0A	<blockquote cite=3D"http://cve.mitre.org/cgi-bin/=
 cvename.cgi?name=3DCVE-2008-3659">=0A	<p>Buffer overflow in the memnstr fun=
 ction in PHP 4.4.x before=0A	4.4.9 and PHP 5.x through 5.2.6 allows context=
 -dependent=0A	attackers to cause a denial of service (crash) and possibly=
 =0A	execute arbitrary code via the delimiter argument to the explode=0A	fun=
 ction.</p>=0A	<p>NOTE: the scope of this issue is limited since most=0A	app=
 lications would not use an attacker-controlled delimiter, but=0A	local atta=
 cks against safe_mode are feasible.</p>=0A	</blockquote>=0A      </body>=0A=
     </description>=0A    <references>=0A      <cvename>CVE-2008-3659</cvena=
 me>=0A      <url>http://news.php.net/php.cvs/52002</url>=0A      <url>http:=
 //www.openwall.com/lists/oss-security/2008/08/08/2</url>=0A    </references=
 >=0A    <dates>=0A      <discovery>2008-08-05</discovery>=0A    </dates>=0A=
   </vuln>=0A
 --o7gdRJTuwFmWapyH--
 
 --CxDuMX1Cv2n9FQfo
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkki5OMACgkQthUKNsbL7Yg/ZACfUBOnoCZnhTol7o/R0AiNLbWt
 fzcAoJCykRyPNoySroKYgW0RGvHsH/B5
 =u6kz
 -----END PGP SIGNATURE-----
 
 --CxDuMX1Cv2n9FQfo--

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: Jille Timmermans <jille@quis.cx>, cve@mitre.org, coley@mitre.org,
        freebsd-security@freebsd.org, bug-followup@freebsd.org,
        mloveless@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
Date: Tue, 18 Nov 2008 10:01:20 -0500 (EST)

 On Tue, 18 Nov 2008, Eygene Ryabinkin wrote:
 
 > Steven, CVE-supporters, good day.
 >
 > Today I was submitted FreeBSD's VuXML entry for CVE-2008-3659 and it
 > seem to be errorneously saying about "PHP 5.6".  Could you please try to
 > follow the discuission and say something about the entry's description
 > text?
 
 It's pretty clear that the description was a typo.  It doesn't follow our
 typical CVE description style of escalating versions when we list version
 ranges.  Most likely I introduced this typo in the original description.
 
 I've internally changed it to "5.x through 5.2.6."  This will show up on
 the public CVE web site within a day or two.
 
 Thank you for informing us!
 
 - Steve

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: "Steven M. Christey" <coley@linus.mitre.org>,
        Jille Timmermans <jille@quis.cx>, cve@mitre.org, coley@mitre.org,
        freebsd-security@freebsd.org, bug-followup@freebsd.org,
        mloveless@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
Date: Tue, 18 Nov 2008 14:50:59 -0500 (EST)

 > So, the VuXML entry should be changed accordingly.  New content is
 > attached.
 
 Just for my own understanding, did the erroneous CVE description cause any
 extra work on your part?  What if the desc had only said "5.2 through
 5.2.6" at first?
 
 I'm asking because I'm trying to understandind how people use CVE and what
 impact our errors might have on others.
 
 Thanks,
 Steve

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: "Steven M. Christey" <coley@linus.mitre.org>
Cc: Jille Timmermans <jille@quis.cx>, bug-followup@freebsd.org,
	freebsd-security@freebsd.org, mloveless@mitre.org, cve@mitre.org,
	coley@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
	5.2.6
Date: Wed, 19 Nov 2008 12:13:03 +0300

 --CSNFvL6ilyiKL/Hs
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Steven,
 
 Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote:
 > > So, the VuXML entry should be changed accordingly.  New content is
 > > attached.
 >=20
 > Just for my own understanding, did the erroneous CVE description cause any
 > extra work on your part?
 
 No "extra" work.  I had just copied the description from CVE and forgot
 to change errorneous "5.6" to something more sane.  Jille was kind to
 point me to this.  But it was not clear where in 5.x line the error was
 introduced.  I had crawled via the PHP CVS and had found that it was
 there for the whole 5.x line.
 
 > What if the desc had only said "5.2 through 5.2.6" at first?
 
 I think I will ask myself something like "OK, but what about PHP 5.0 and
 5.1?  Are they vulnerable?"  In principle, I _had_ asked myself about it
 and had traced the code via sources back to at least 4.x, so I had
 written '<=3D5.2.6_3' as the vulnerable version specification the VuXML
 entry.  I just forgot to change the description.
 
 > I'm asking because I'm trying to understandind how people use CVE and what
 > impact our errors might have on others.
 
 It may vary, of course.  Typically, I am trying to validate CVE
 descriptions via some other sources, most used are vendor changelogs
 and original advisories.  Source code crawling is good too, but it
 may be unavailable or a bit uneasy.  I think that generally people
 tend to trust CVE entries, but checking is always good ;))
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --CSNFvL6ilyiKL/Hs
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkkj2J8ACgkQthUKNsbL7YgFdgCeL2yT5t85ZDSAOAcN/2gQjj6A
 jO4An2vGA8iC5XAGiYJaLF0wohi5Rc+z
 =wsRE
 -----END PGP SIGNATURE-----
 
 --CSNFvL6ilyiKL/Hs--

From: "Steven M. Christey" <coley@linus.mitre.org>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: "Steven M. Christey" <coley@linus.mitre.org>,
        Jille Timmermans <jille@quis.cx>, bug-followup@freebsd.org,
        freebsd-security@freebsd.org, mloveless@mitre.org, cve@mitre.org,
        coley@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
 5.2.6
Date: Thu, 20 Nov 2008 19:04:21 -0500 (EST)

 Thank you for answering, Eygene.
 
 - Steve
Responsible-Changed-From-To: miwi->ale 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Sat Nov 22 22:49:56 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer, 

please let me know when you commit this patches I will prepare a vuxml 
entry. 

- Martin 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 
Responsible-Changed-From-To: ale->miwi 
Responsible-Changed-By: ale 
Responsible-Changed-When: Sun Dec 7 11:57:42 UTC 2008 
Responsible-Changed-Why:  
PHP updated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 
State-Changed-From-To: open->closed 
State-Changed-By: miwi 
State-Changed-When: Sun Dec 7 12:14:35 UTC 2008 
State-Changed-Why:  
all documented. Thanks for our submission 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128956 
>Unformatted:
