diff options
Diffstat (limited to 'dev-lang/php')
| -rw-r--r-- | dev-lang/php/Manifest | 18 | ||||
| -rw-r--r-- | dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch | 114 | ||||
| -rw-r--r-- | dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch | 37 | ||||
| -rw-r--r-- | dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch | 48 | ||||
| -rw-r--r-- | dev-lang/php/php-7.4.33-r2.ebuild (renamed from dev-lang/php/php-8.2.1.ebuild) | 74 | ||||
| -rw-r--r-- | dev-lang/php/php-8.0.28.ebuild (renamed from dev-lang/php/php-8.0.26.ebuild) | 2 | ||||
| -rw-r--r-- | dev-lang/php/php-8.1.16.ebuild (renamed from dev-lang/php/php-8.1.13.ebuild) | 2 | ||||
| -rw-r--r-- | dev-lang/php/php-8.2.3.ebuild (renamed from dev-lang/php/php-8.2.0.ebuild) | 2 |
8 files changed, 246 insertions, 51 deletions
diff --git a/dev-lang/php/Manifest b/dev-lang/php/Manifest index 1ffa09137faa..9b54cb009311 100644 --- a/dev-lang/php/Manifest +++ b/dev-lang/php/Manifest @@ -1,27 +1,29 @@ AUX 20php5-envd 208 BLAKE2B 7d876903c7f58ab148e1d6bb2b0d86cb9f5ecd241bc00e92138d30e6272b277fddbe2ee233c82e6420c1ea42d493b872d975ed06295ba7502be5c26afa458f5a SHA512 5ddd373d586800a112666b21e449342028ccf60f4f7f1a87f4913e75f718ded881590bed79cbeff75c581a24acb8b46403f2bf496cd05f264b4f9f1e6c5e86fe AUX bug81656-gcc-11.patch 1953 BLAKE2B d682840f380693799fa1cf214d199b08862396bc795e88ac9a6ed0c0d12c6b04883301414ea5c3a2d28e204225787d546d3505322280df27105af3ce9d299139 SHA512 11e4c777538b00080cbdfb1a759064368582f894711fc1ff7828a0289d25770bc7a49c768a2a5fef2f89a04b3d9392a78ca0649dd05c67c30cb298320b115edb AUX php-7.4.33-CVE-2022-31631.patch 1836 BLAKE2B 63a250c6ec5c1b3608f5e2b61118d8903fce8b37764088c57bb6acc82a068b326af4235bd05f21c35a5399616a06dce34a81db71a2b2f558365e220529fc216b SHA512 aca1d76f9674f1602bd8be090bc20f66a64672ea1e6b2a3f76213f285bc8c52159b5495ae1c8c47320229c4c018b73b4d97e4d94837e1876602fa13e39df1cd1 +AUX php-7.4.33-CVE-2023-0567.patch 2780 BLAKE2B a35b8f7d24cfb8a325f65e465bd440930876f4b188d1ea5c12d616da39ec75809c13f9e37d08dc5245c7412f21899018f867681ecf89213fc5e7a1b01cb0dd41 SHA512 cdbbe235791027b804c8bbc71a203f954628cbf27af99be34c750dab3c8bf8e3928af87adb87ffe09b2d011c19ed5b339e345d5a55a7053fc82d4c72ba08e8b7 +AUX php-7.4.33-CVE-2023-0568.patch 1327 BLAKE2B ab7ad1f83bfeef8da091f159d41371d0f89e3dbcb79c1b7bec7bb76b329c60d2d10e0c6ef9c5c959a57846466a778345e697099e5c2a9555733918cc2faf41f4 SHA512 6015f6025e4e5e29aa699ef9a4b4b28a8f756cca0e83a4e2311c1735f25ef89395d4ea2c143ec45b375128f66b99a4b788e8bfb28d9ee74566345696a1a3c2f0 +AUX php-7.4.33-CVE-2023-0662.patch 1992 BLAKE2B d436b763a0131c1992e69821df1f8c5d7cfdc151c9470671189dd76acdf295d3108030a273d2c3314bf97c0e06a286541a64312a95d6b9bdea0c912a90db7e0d SHA512 71cda55f019b7dd3d74c598dc93e81674bf6954bee4fb37c325ca4b8449b6a1340d61ccd1f9b9f0ba86b9cb3069221614f9b50a01de674c157bf47d7906e25a7 AUX php-fpm_at-simple.service 316 BLAKE2B 0ba10f3e3b004fbf14956e1e4f04f59b8a127e6717fe6b92c09b9f931033a11551c75fbbee9010f6b694c5a8758ca0eec9eed457ae304ba0dea8f2c256c3b8d4 SHA512 7367a3f8d3874f8e0c76f331ba613a0250db02f60ad9f87affaf448dcb5bc34bcecb91d88f415764a12b24b46ae3d1b738a002af9f77a4b707e916e83a0021fd AUX php-fpm_at.service 317 BLAKE2B f13fc38fcc0575a8517ee8d07b120efda37eabd2355061d0fdc303604c6b02ad42d7301180d86c977d5e585f5dd685343c592e37a6e0f44933707be79e0b77e0 SHA512 27982f9e2d958bfa75c89c7d3531e48d17fc388b1cdcbc8e09051b236b1184ee2baabdfcc567c19d9fcd067d4b3b86f171015616d8da42fccdabd89432d865e8 AUX php-iodbc-header-location.patch 481 BLAKE2B 9ea6a5d529dc7a8c78eeee800900372bc14309a05e352b2838da32e1384b61b507fdb623c9400094aa5b637eb1a87da92c72600eff79b18b8989ef90af56a0fa SHA512 86469f657d8807f005c28fd2149770c881add8f243fdfea087956c7987277597fe400a7af23f624f26da270356604717ed9cd04771154d7cf2ffe7237972372b AUX php80-firebird-warnings.patch 1949 BLAKE2B ab1b693afe26b6529aab8628f9a614478c388ed23603ad1dd4d17b63154d535a3e4c2db04fe27fb22a3d7e1335e368ffd383ed24647ac53ac05170ec3e1beb75 SHA512 d37815ea529167d4959aef056a3a0be6902ee4cda809a48c24299b05ff6477ee82e8ed8dcf49051b8e74ba5c31e3985454591ea751d4550df3d2e3639ec0d616 DIST php-7.4.33.tar.xz 10420144 BLAKE2B e75817e79c698628c873c90afb3b5677480d03ecf07e8f2e26a062bc5b91affc6079e792e864f28cf12d45f86e5d01ede289ecdcefc06477986d193d22c982ef SHA512 499b63b99e5d8e8082ff89d3a91b4cb9a593ea7553b96e48863414c13d2e50275904ed29070e2232e529ee91160f505e6060a4d129cb5bf098aa5b6ea0928d3d DIST php-8.0.25.tar.xz 10802888 BLAKE2B c1f283613c43551cccd52955deaae364781fffd4f73befa5e103211ed2b972272189973639d840ef1839b038e1872a6a28424939ea133f0bf86d82b56bb591fb SHA512 43bb0637e424e2a637e05f3faf0ca2c5309f2d9cc03def9fc9af9b756003ea6efe730b608c70177c3c1b9cb03cef31c27cd6507cca9d9f0fd854aadb5e51aee3 -DIST php-8.0.26.tar.xz 10868588 BLAKE2B 423af3b7de23f59717aaf59c8c661ec8ab0fd7acdf1e48282b1c730b2efc48f88b953452e77dbb9dbd4e1633ba68dd8adbc58c05642e787974f9783a075d042c SHA512 2c285bd0d4516e188b8f9fe45db12bb0631c8298c97b3fcf99b7d56bed8c90920649d613c19821cbb38592211f5a3e7980679f2a59ad2d920da5b669251a99d5 DIST php-8.0.27.tar.xz 10802096 BLAKE2B 343a05759a074b746a38578f5fa88382ad91f44f23aee65a7a9b54fa80e991c944b61c6d5979710516a795506dcc8a2c628997e222981ae99bcdfad47afb606d SHA512 443d4fe5d3165e2806e6ce03356f38b1d70fb4c86054f10b22e62191d5961bb51b10a31c49f3d74e6360836254db3107a8910589966481ebc7f5e06886b5e026 +DIST php-8.0.28.tar.xz 10801568 BLAKE2B de03f5ad262e830c70d24b9e2dd997897e5613d8bbc998ab7e59df703db89d587c6c8955e6f82f0cf6630eed82f33e21567ccf7a873ca07f4d0659f7bf4bd974 SHA512 d66e41cdccc332fccaf03bb24356652b17be5267cba5a47d80f1b74732b674f6a23c91e4a151ca442e629de8e8bcf6daecf0b34cbcbc9e33f53b8da9f06dc6b9 DIST php-8.1.12.tar.xz 11747176 BLAKE2B 0505794826fb0fc92b04be5f7162af8aa92d782bb228243348d85b46866cd47089fcb7febd6886a8179babf64cb227bcdbf5d5f60d44dfefe1c947a3a708e3c1 SHA512 437b6a8146b58479f4d1acb7b35d68954f1f7bc13a8f3dddc66e1677d7e9b6a11154861f9e894cbd59b9c28d4df3fd5422f9b5553004e9fc8d0320ab59b9f907 -DIST php-8.1.13.tar.xz 11802424 BLAKE2B 2d2d00fd1574deef1ef86f6813e1d2a1e20a8202ce80e5ce2e1359307135b47d6f1495ff7dfe23f52c2127226494856f215588fe21af3d519a8259e1e67ab819 SHA512 a8966798ed8e723a362952f9d381a59cbfd63d921466d68a5bc4527960f4fe1b48a1f188284c74b0723e93524787e4cf1c1322ecd6ec1c9be199fd67df0a0542 DIST php-8.1.14.tar.xz 11752004 BLAKE2B 5ba60621c641b25c2d8ab0c82e97d59131587718c75cc013dc4ba1ad68e668e7f86b67f01f02c434e65c8a9075581a7f2decb2b8c3706e325e25e9f717cdfd82 SHA512 75a5dc3b0490cd8105d4f6c5446522b38953d78fe7b568798db749740f365c818b251d86aba72f5e555c5fe4e4a28e352a9510803bf3cdfe37d125824ae84d61 -DIST php-8.2.0.tar.xz 11920436 BLAKE2B 18f9395ecd86bd3f5e5b581cb60c410a4eba2260b70cf5c3b6f320004d8e8126431fd77371f3b694de2422a450655a37e1c9783e8cebc204b3b754b812709aa0 SHA512 0b201ca1de5210c2b44a6223556720c3409e21db3d8f976894f29ad43eebb8b60334b971aa90bc115ef113e3f06624c80175d04530466b5a02743f2fcd4c9806 -DIST php-8.2.1.tar.xz 12031632 BLAKE2B 87dfc1018fa4313d02da584b6f7c8a2ee48dcca99ff1753d210ea0e2faaeaee8df79d608892da558c69bbc9f0c3738d14a2834737575e9b5ebcd7927e99fb04e SHA512 9927ccb9e5581c24d0ef3e408a7a1b32bc99f43ce88e83e4430dbd4faa3a2498b299ad6b3a70696facded139100c85bb7ae66223a72b2c043ccab0d80a2c2826 +DIST php-8.1.16.tar.xz 11760948 BLAKE2B ac0d352dae05115197852092b9b3c0b5091528326806c70eb34e0aba6007f718e927e67045d65976cb2104e4737a475b2224d4f05ff89ddf8c3066e0240c38e1 SHA512 4515da38803272abfafb069d1684c66dbb5086987b148c48dd7d8acf8f5316d255cf321ec57d6fbffe914a35551a533446ac13c34bb7c984e0d109247e8e64da +DIST php-8.2.3.tar.xz 12038240 BLAKE2B 97df5470813bcfb3f07b62ba9a5ab5f5931cf4c6df5abb7354c41080f8bdd8fe4e311841b217448993bc57f98f238fa107f29614bc19cab2902de519d826e67c SHA512 4e3ae840ac486868d5bedc2ae771e3ff5d4939ba4c2f7c769b7052322a5eccc8fba253df311a77f3ea852bf42f9dec34653baf828f68c9c191d3a425a8968d4c EBUILD php-7.4.33-r1.ebuild 21423 BLAKE2B 8dd66cd6b064ac0fd5b4157a37e819cccde4a2e40e3185624e73b1d5e1c0acc9efbb62c3da887942fd7e5813953a75b5e64baee72844fbb5e7b82c44148227d7 SHA512 5ade5f1bded3433579af049bc70a8bacecfda257efbb1165133033ed8f2b68a6ed6adc0479a6d9ec6abf6ec291d81f41fc4cf6bd29d894c94d86c20b2d53f908 +EBUILD php-7.4.33-r2.ebuild 21563 BLAKE2B 84aba8ead2ae702eb1613b87888fd80860d2d8f5f368109658d41f12bc36c8f6664b111a012e349b31e8b955cce5c758671f3702b2f22cd5c127d4e4acc9b6b2 SHA512 c1cea43ee87092c9f4fab5d44549882d8bed465301d71d66cd42f261c35f4e7d37c97fc0223e30e6cebb4591a16de48f41d1fe5ac640ae5a7ea8ba989161f705 EBUILD php-7.4.33.ebuild 21371 BLAKE2B 1a1f130cec31dac7fea7b6aa38473eb7ac19b1194c2c2a76023b09043261f73e516a3ba5d21d1da5e3354d6abf3ac606dfb2f27bc0fe1ab1aa162f7c05f95522 SHA512 4ffaae2b5e4724860c40d789f920a3e06455a0efe5ed5d628d74a7012aa57b352188bd577a8e4707ce01be9f3e26534ba1524dfbc4218a93927c6417277cc2e4 EBUILD php-8.0.25.ebuild 21880 BLAKE2B 966f8b33f46767a4456686cd788f0b3c1b8fd4049f2022b1136a8530ef3a5021efb393db45de6ce60aa77ba029c384858838e576a6d2799808246fbc2645730f SHA512 2ba7d167b4075b89e6aac2feb387103ae3fca4dc0be4d6791d23995f4eeb1ca65941664374c52e48b07a8815ccdc7bf1c79b9f2da910bbae8c7c3c373b856ab5 -EBUILD php-8.0.26.ebuild 21887 BLAKE2B eb13245b78136e9f5058017a427e87537b22d7b28cda35e924e01101772a1c3743a3f33d7b5ec0b34d1045d5c5767182a43a36bedeac126d945eabd2622fa084 SHA512 d6e065135160ad5972b1f0885f37233dae00f92b6a70ffbd15be6a00e0614fdb891e30ca90df86e012fa124fea5f83652cb9ffda8fe848034198b776e6535ebd EBUILD php-8.0.27.ebuild 21885 BLAKE2B 45399d624d7a6e5563df67133e4bc770c97f79e26b498e2ff9bea3ed8715ceb61f138daccd5dcb9fc140c4712a0ff80c75db9ae1ed1f767a412b03f3209ff3dc SHA512 582a3231a3701b4e29338025d3e0bba5915b14eaff0940a0b88a9084dc7086ca559c917bc89770c2aef2c94767f4d94948f120aac854181abcf2dd64407c5fd0 +EBUILD php-8.0.28.ebuild 21887 BLAKE2B 7e4b47c70ae3a4e3ca9ee70aa6987bdb8c1d99427607814db16beb5387c88d2ba9686da53227c503503a5fdb088c77e8a1fa0498a918ba5753f4680861a002c3 SHA512 afcfe8818e57d544f8884d57bbd452021956fb26d5efeebf84bf93c4976b9fae2c4cc837683c3194a309ae37f56e6fabb15ee7c7a98e9f8723ab7eeb1ef52859 EBUILD php-8.1.12.ebuild 21815 BLAKE2B c1610ff5a4e439954b228744cd0223a4205dd1b53e6cff7a48535db414b6d20d307ba1b31c96ea6ab60b2ed1f811eb612c80e245b49acdf9659a6f8b2bb94b08 SHA512 73b766c5dec9b7231f1149b279b47e8621e527bbce2e1606bafdf1e6cd3f647ca30b2fcd16e1d9c3160c4a50c464fdeefbd05e1102f9debe7b79abd68fbceb4d -EBUILD php-8.1.13.ebuild 21822 BLAKE2B ed8192edd4b20602a243ac762cee927ca03057c31ab4ae508b128dc4dccadb6acccf7984aeffe5b63937b96ca2934a8baa973937f8f4aca15f4be463f9f8a320 SHA512 954da51ade6601e0016f9a02bd1a130de13bbe8481b4d75f12e49c42af510f72762996fefbee2ed5535e264b567c5df9dd3ff2485fc899d7e4b5bcb5c59c4216 EBUILD php-8.1.14.ebuild 21820 BLAKE2B cda25e68ea7ea22d38db686ebb940f52d616ec7f72320ef66ad12a7768f6f484a72045577ce2d5e3e250d5065a278aa96496bb84ae7686a5b1edc8f057f52785 SHA512 315620f4d75fe120620c149a45b84917cac7b0ca3138797a0894f9ad3907d8cfc73fb18e0233ab2b3f3891771c2aac585a2d2b6d04995129923936e132f7dd45 -EBUILD php-8.2.0.ebuild 21929 BLAKE2B 17ff1fe640f9c2d97e33933b3357b0979beb013e5221fc31b5dc1d7e6c5bfa68c4c4cc1e371874f5ee7bc93810798bccbed10b59b84ae79f479971f1ad9f4c89 SHA512 2ca33b0838a28162d78779f870ff6f0b3d02245c1bc1b3f4b15c0f5588eff16613462c3ebd85be4049066860ae15acfaa5fbe6bef8161dda90f3c9db51a5fd0c -EBUILD php-8.2.1.ebuild 21927 BLAKE2B 16451eb4aaea4eb0743d397cd66fac289374ad8ba4a81091fa3510f113bbb737264170eacb119d97aad26af16afae1a2731ccd93d076a4202069c8deceb1e08e SHA512 92bdf8ae2c6b22b6fb71726a2ce01c87097544d965c8e6b987601a7f89739b9540122d09e44112f79a7f68806f834327ccdaf30e582bfe6a2f54e9a184f935a4 +EBUILD php-8.1.16.ebuild 21822 BLAKE2B 51b237d02bb3f8ede91b498fec4925cfd0ce7c8b437644d894572fdd9dc97bc3c985efdfba9a238c67a8e27278ad1515d197ac8d9abb4469e12f6a712e336665 SHA512 509fb7e69b1f5b6ba8cdd0b70f69d601343807c49741817d054875fe2c5aab3257510a4dcae10afba0c6821c6c1555f915eb78661e2de7bd6a73fd098aa4edb2 +EBUILD php-8.2.3.ebuild 21929 BLAKE2B 3071d992c1ab559358f7412c170f1d39411769e232117cacab97a229fbc4257e5f154dda46863b93524e99de55500b8fc840a98a14871426d94f5de3520be958 SHA512 5074206a61d3b81ce66434d4e6aa3f210b538725082fddd4fef0aa85ed8b10d5c5555e78c1031fce0bc64a9a1be8caea22161c388af64a826f6f752c84abf1ae MISC metadata.xml 3230 BLAKE2B 215062835c9f7ae9d570a40b3a6e59c7a2b7fb51e0fb9b89cd51888f54e2cbee1cbcf571b8ccfef3ed1970949dcac81bb411ca6536e972875b184caee688cb12 SHA512 03d948a300d3a29a113248b371be92fa9c1c4feb371886a9cab335e956a2ff9958cb9b5449aab88a5306bcafed42161ac88655115a1e286fa9e876920ad1d59a diff --git a/dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch b/dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch new file mode 100644 index 000000000000..a0e72f380089 --- /dev/null +++ b/dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch @@ -0,0 +1,114 @@ +diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c +index 3806a290aee4..351d40308089 100644 +--- a/ext/standard/crypt_blowfish.c ++++ b/ext/standard/crypt_blowfish.c +@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = { + #define BF_safe_atoi64(dst, src) \ + { \ + tmp = (unsigned char)(src); \ +- if (tmp == '$') break; /* PHP hack */ \ + if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ + tmp = BF_atoi64[tmp]; \ + if (tmp > 63) return -1; \ +@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) + *dptr++ = ((c3 & 0x03) << 6) | c4; + } while (dptr < end); + +- if (end - dptr == size) { +- return -1; +- } +- +- while (dptr < end) /* PHP hack */ +- *dptr++ = 0; +- + return 0; + } + +diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +new file mode 100644 +index 000000000000..32e335f4b087 +--- /dev/null ++++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt +@@ -0,0 +1,82 @@ ++--TEST-- ++bcrypt correctly rejects salts containing $ ++--FILE-- ++<?php ++for ($i = 0; $i < 23; $i++) { ++ $salt = '$2y$04$' . str_repeat('0', $i) . '$'; ++ $result = crypt("foo", $salt); ++ var_dump($salt); ++ var_dump($result); ++ var_dump($result === $salt); ++} ++?> ++--EXPECT-- ++string(8) "$2y$04$$" ++string(2) "*0" ++bool(false) ++string(9) "$2y$04$0$" ++string(2) "*0" ++bool(false) ++string(10) "$2y$04$00$" ++string(2) "*0" ++bool(false) ++string(11) "$2y$04$000$" ++string(2) "*0" ++bool(false) ++string(12) "$2y$04$0000$" ++string(2) "*0" ++bool(false) ++string(13) "$2y$04$00000$" ++string(2) "*0" ++bool(false) ++string(14) "$2y$04$000000$" ++string(2) "*0" ++bool(false) ++string(15) "$2y$04$0000000$" ++string(2) "*0" ++bool(false) ++string(16) "$2y$04$00000000$" ++string(2) "*0" ++bool(false) ++string(17) "$2y$04$000000000$" ++string(2) "*0" ++bool(false) ++string(18) "$2y$04$0000000000$" ++string(2) "*0" ++bool(false) ++string(19) "$2y$04$00000000000$" ++string(2) "*0" ++bool(false) ++string(20) "$2y$04$000000000000$" ++string(2) "*0" ++bool(false) ++string(21) "$2y$04$0000000000000$" ++string(2) "*0" ++bool(false) ++string(22) "$2y$04$00000000000000$" ++string(2) "*0" ++bool(false) ++string(23) "$2y$04$000000000000000$" ++string(2) "*0" ++bool(false) ++string(24) "$2y$04$0000000000000000$" ++string(2) "*0" ++bool(false) ++string(25) "$2y$04$00000000000000000$" ++string(2) "*0" ++bool(false) ++string(26) "$2y$04$000000000000000000$" ++string(2) "*0" ++bool(false) ++string(27) "$2y$04$0000000000000000000$" ++string(2) "*0" ++bool(false) ++string(28) "$2y$04$00000000000000000000$" ++string(2) "*0" ++bool(false) ++string(29) "$2y$04$000000000000000000000$" ++string(2) "*0" ++bool(false) ++string(30) "$2y$04$0000000000000000000000$" ++string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" ++bool(false) diff --git a/dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch b/dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch new file mode 100644 index 000000000000..67c172ae214f --- /dev/null +++ b/dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch @@ -0,0 +1,37 @@ +From a92acbad873a05470af1a47cb785a18eadd827b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be> +Date: Mon, 23 Jan 2023 22:13:57 +0100 +Subject: [PATCH] crypt: Fix possible buffer overread in php_crypt() + +--- + ext/standard/crypt.c | 1 + + ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++ + 2 files changed, 9 insertions(+) + create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt + +diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c +index 8c105cf910e8..8316c8b96063 100644 +--- a/ext/standard/crypt.c ++++ b/ext/standard/crypt.c +@@ -135,6 +135,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch + } else if ( + salt[0] == '$' && + salt[1] == '2' && ++ salt[2] != 0 && + salt[3] == '$') { + char output[PHP_MAX_SALT_LEN + 1]; + +diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt +new file mode 100644 +index 000000000000..085bc8a23904 +--- /dev/null ++++ b/ext/standard/tests/password/password_bcrypt_short.phpt +@@ -0,0 +1,8 @@ ++--TEST-- ++Test that password_hash() does not overread buffers when a short hash is passed ++--FILE-- ++<?php ++var_dump(password_verify("foo", '$2')); ++?> ++--EXPECT-- ++bool(false) diff --git a/dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch b/dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch new file mode 100644 index 000000000000..a6de37c27305 --- /dev/null +++ b/dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch @@ -0,0 +1,48 @@ +diff --git a/main/main.c b/main/main.c +index 40684f32dc14..c58ea58bf5ac 100644 +--- a/main/main.c ++++ b/main/main.c +@@ -836,6 +836,7 @@ PHP_INI_BEGIN() + PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) ++ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL) + + STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) + STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) +diff --git a/main/rfc1867.c b/main/rfc1867.c +index b43cfae5a1e2..3086e8da3dbe 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -694,6 +694,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + void *event_extra_data = NULL; + unsigned int llen = 0; + int upload_cnt = INI_INT("max_file_uploads"); ++ int body_parts_cnt = INI_INT("max_multipart_body_parts"); + const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); + php_rfc1867_getword_t getword; + php_rfc1867_getword_conf_t getword_conf; +@@ -715,6 +716,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + return; + } + ++ if (body_parts_cnt < 0) { ++ body_parts_cnt = PG(max_input_vars) + upload_cnt; ++ } ++ int body_parts_limit = body_parts_cnt; ++ + /* Get the boundary */ + boundary = strstr(content_type_dup, "boundary"); + if (!boundary) { +@@ -799,6 +805,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *pair = NULL; + int end = 0; + ++ if (--body_parts_cnt < 0) { ++ php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit); ++ goto fileupload_done; ++ } ++ + while (isspace(*cd)) { + ++cd; + } diff --git a/dev-lang/php/php-8.2.1.ebuild b/dev-lang/php/php-7.4.33-r2.ebuild index 1d3564c738ab..7c62bd3f1448 100644 --- a/dev-lang/php/php-8.2.1.ebuild +++ b/dev-lang/php/php-7.4.33-r2.ebuild @@ -1,7 +1,7 @@ # Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI="8" +EAPI="7" WANT_AUTOMAKE="none" @@ -11,7 +11,6 @@ MY_PV=${PV/_rc/RC} DESCRIPTION="The PHP language runtime engine" HOMEPAGE="https://www.php.net/" SRC_URI="https://www.php.net/distributions/${P}.tar.xz" -#SRC_URI="https://downloads.php.net/~pierrick/php-${MY_PV}.tar.xz" LICENSE="PHP-3.01 BSD @@ -22,7 +21,7 @@ LICENSE="PHP-3.01 unicode? ( BSD-2 LGPL-2.1 )" SLOT="$(ver_cut 1-2)" -KEYWORDS="~alpha ~amd64 ~arm arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" S="${WORKDIR}/${PN}-${MY_PV}" @@ -34,17 +33,17 @@ IUSE="${IUSE} ${SAPIS/cli/+cli} threads" -IUSE="${IUSE} acl apparmor argon2 bcmath berkdb bzip2 calendar cdb cjk +IUSE="${IUSE} acl argon2 bcmath berkdb bzip2 calendar cdb cjk coverage +ctype curl debug enchant exif ffi +fileinfo +filter firebird +flatfile ftp gd gdbm gmp +iconv imap inifile - intl iodbc +jit kerberos ldap ldap-sasl libedit lmdb + intl iodbc ipv6 +jit +json kerberos ldap ldap-sasl libedit lmdb mhash mssql mysql mysqli nls oci8-instant-client odbc +opcache pcntl pdo +phar +posix postgres qdbm readline selinux +session session-mm sharedmem +simplexml snmp soap sockets sodium spell sqlite ssl sysvipc systemd test tidy +tokenizer tokyocabinet truetype unicode webp - +xml xmlreader xmlwriter xpm xslt zip zlib" + +xml xmlreader xmlwriter xmlrpc xpm xslt zip zlib" # Without USE=readline or libedit, the interactive "php -a" CLI will hang. # The Oracle instant client provides its own incompatible ldap library. @@ -60,6 +59,7 @@ REQUIRED_USE=" gd? ( zlib ) simplexml? ( xml ) soap? ( xml ) + xmlrpc? ( xml iconv ) xmlreader? ( xml ) xmlwriter? ( xml ) xslt? ( xml ) @@ -78,17 +78,17 @@ RESTRICT="!test? ( test )" # the ./configure script. Other versions *work*, but we need to stick to # the ones that can be detected to avoid a repeat of bug #564824. COMMON_DEPEND=" - >=app-eselect/eselect-php-0.9.7[apache2?,fpm?] + >=app-eselect/eselect-php-0.9.1[apache2?,fpm?] >=dev-libs/libpcre2-10.30[jit?,unicode] - fpm? ( acl? ( sys-apps/acl ) apparmor? ( sys-libs/libapparmor ) selinux? ( sys-libs/libselinux ) ) + fpm? ( acl? ( sys-apps/acl ) ) apache2? ( www-servers/apache[apache2_modules_unixd(+),threads=] ) argon2? ( app-crypt/argon2:= ) - berkdb? ( || ( sys-libs/db:5.3 sys-libs/db:4.8 ) ) + berkdb? ( || ( sys-libs/db:5.3 sys-libs/db:4.8 ) ) bzip2? ( app-arch/bzip2:0= ) cdb? ( || ( dev-db/cdb dev-db/tinycdb ) ) coverage? ( dev-util/lcov ) - curl? ( >=net-misc/curl-7.29.0 ) - enchant? ( app-text/enchant:2 ) + curl? ( >=net-misc/curl-7.10.5 ) + enchant? ( <app-text/enchant-2.0:0 ) ffi? ( >=dev-libs/libffi-3.0.11:= ) firebird? ( dev-db/firebird ) gd? ( media-libs/libjpeg-turbo:0= media-libs/libpng:0= ) @@ -106,7 +106,7 @@ COMMON_DEPEND=" nls? ( sys-devel/gettext ) oci8-instant-client? ( dev-db/oracle-instantclient[sdk] ) odbc? ( iodbc? ( dev-db/libiodbc ) !iodbc? ( >=dev-db/unixODBC-1.8.13 ) ) - postgres? ( >=dev-db/postgresql-9.1:* ) + postgres? ( dev-db/postgresql:* ) qdbm? ( dev-db/qdbm ) readline? ( sys-libs/readline:0= ) session-mm? ( dev-libs/mm ) @@ -114,21 +114,19 @@ COMMON_DEPEND=" sodium? ( dev-libs/libsodium:=[-minimal] ) spell? ( >=app-text/aspell-0.50 ) sqlite? ( >=dev-db/sqlite-3.7.6.3 ) - ssl? ( >=dev-libs/openssl-1.0.2:0= ) + ssl? ( >=dev-libs/openssl-1.0.1:0= <dev-libs/openssl-3.0 ) tidy? ( app-text/htmltidy ) tokyocabinet? ( dev-db/tokyocabinet ) truetype? ( =media-libs/freetype-2* ) unicode? ( dev-libs/oniguruma:= ) webp? ( media-libs/libwebp:0= ) - xml? ( >=dev-libs/libxml2-2.9.0 ) + xml? ( >=dev-libs/libxml2-2.7.6 ) xpm? ( x11-libs/libXpm ) xslt? ( dev-libs/libxslt ) zip? ( >=dev-libs/libzip-1.2.0:= ) zlib? ( >=sys-libs/zlib-1.2.0.4:0= ) " -IDEPEND=">=app-eselect/eselect-php-0.9.7[apache2?,fpm?]" - RDEPEND="${COMMON_DEPEND} virtual/mta fpm? ( @@ -147,7 +145,12 @@ BDEPEND="virtual/pkgconfig" PHP_MV="$(ver_cut 1)" PATCHES=( - "${FILESDIR}/php-iodbc-header-location.patch" + "${FILESDIR}"/php-iodbc-header-location.patch + "${FILESDIR}"/bug81656-gcc-11.patch + "${FILESDIR}"/php-7.4.33-CVE-2022-31631.patch + "${FILESDIR}"/php-7.4.33-CVE-2023-0567.patch + "${FILESDIR}"/php-7.4.33-CVE-2023-0568.patch + "${FILESDIR}"/php-7.4.33-CVE-2023-0662.patch ) php_install_ini() { @@ -223,23 +226,11 @@ src_prepare() { configure main/php_config.h.in || die eautoconf --force eautoheader - - # Remove false positive test failures - # stream_isatty fails due to portage redirects - # curl tests here fail for network sandbox issues - # session tests here fail because we set the session directory to $T - rm tests/output/stream_isatty_err.phpt \ - tests/output/stream_isatty_out-err.phpt \ - tests/output/stream_isatty_out.phpt \ - ext/curl/tests/bug76675.phpt \ - ext/curl/tests/bug77535.phpt \ - ext/curl/tests/curl_error_basic.phpt \ - ext/session/tests/bug74514.phpt \ - ext/session/tests/bug74936.phpt || die - } src_configure() { + filter-lto # bug 855644 + addpredict /usr/share/snmp/mibs/.index #nowarn addpredict /var/lib/net-snmp/mib_indexes #nowarn @@ -256,12 +247,10 @@ src_configure() { --localstatedir="${EPREFIX}/var" --without-pear --without-valgrind - --enable-ipv6 - $(use_enable threads zts) + $(use_enable threads maintainer-zts) ) our_conf+=( - $(use_with apparmor fpm-apparmor) $(use_with argon2 password-argon2 "${EPREFIX}/usr") $(use_enable bcmath) $(use_with bzip2 bz2 "${EPREFIX}/usr") @@ -282,6 +271,8 @@ src_configure() { $(use_with iconv iconv \ $(use elibc_glibc || use elibc_musl || echo "${EPREFIX}/usr")) $(use_enable intl) + $(use_enable ipv6) + $(use_enable json) $(use_with kerberos) $(use_with xml libxml) $(use_enable unicode mbstring) @@ -292,7 +283,6 @@ src_configure() { $(use_enable opcache) $(use_with postgres pgsql "${EPREFIX}/usr") $(use_enable posix) - $(use_with selinux fpm-selinux) $(use_with spell pspell "${EPREFIX}/usr") $(use_enable simplexml) $(use_enable sharedmem shmop) @@ -309,6 +299,7 @@ src_configure() { $(use_enable xml) $(use_enable xmlreader) $(use_enable xmlwriter) + $(use_with xmlrpc) $(use_with xslt xsl) $(use_with zip) $(use_with zlib zlib "${EPREFIX}/usr") @@ -361,7 +352,10 @@ src_configure() { fi # MySQL support - our_conf+=( $(use_with mysqli) ) + local mysqllib="mysqlnd" + local mysqlilib="mysqlnd" + + our_conf+=( $(use_with mysqli mysqli "${mysqlilib}") ) local mysqlsock="${EPREFIX}/var/run/mysqld/mysqld.sock" if use mysql || use mysqli ; then @@ -396,7 +390,7 @@ src_configure() { if use pdo ; then our_conf+=( $(use_with mssql pdo-dblib "${EPREFIX}/usr") - $(use_with mysql pdo-mysql "mysqlnd") + $(use_with mysql pdo-mysql "${mysqllib}") $(use_with postgres pdo-pgsql) $(use_with sqlite pdo-sqlite) $(use_with firebird pdo-firebird "${EPREFIX}/usr") @@ -550,7 +544,7 @@ src_install() { # We're specifically not using emake install-sapi as libtool # may cause unnecessary relink failures (see bug #351266) insinto "${PHP_DESTDIR#${EPREFIX}}/apache2/" - newins ".libs/libphp$(get_libname)" \ + newins ".libs/libphp${PHP_MV}$(get_libname)" \ "libphp${PHP_MV}$(get_libname)" keepdir "/usr/$(get_libdir)/apache2/modules" else @@ -573,7 +567,7 @@ src_install() { source="sapi/fpm/php-fpm" ;; embed) - source="libs/libphp$(get_libname)" + source="libs/libphp${PHP_MV}$(get_libname)" ;; phpdbg) source="sapi/phpdbg/phpdbg" @@ -648,7 +642,7 @@ src_test() { export TEST_PHPDBG_EXECUTABLE="${WORKDIR}/sapis-build/phpdbg/sapi/phpdbg/phpdbg" fi - SKIP_ONLINE_TESTS=1 REPORT_EXIT_STATUS=1 "${TEST_PHP_EXECUTABLE}" -n -d \ + REPORT_EXIT_STATUS=1 "${TEST_PHP_EXECUTABLE}" -n -d \ "session.save_path=${T}" \ "${WORKDIR}/sapis-build/cli/run-tests.php" -n -q -d \ "session.save_path=${T}" diff --git a/dev-lang/php/php-8.0.26.ebuild b/dev-lang/php/php-8.0.28.ebuild index 54100cfe9d3f..d4cadfe62448 100644 --- a/dev-lang/php/php-8.0.26.ebuild +++ b/dev-lang/php/php-8.0.28.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" diff --git a/dev-lang/php/php-8.1.13.ebuild b/dev-lang/php/php-8.1.16.ebuild index bdf85e055446..20d68c6387fd 100644 --- a/dev-lang/php/php-8.1.13.ebuild +++ b/dev-lang/php/php-8.1.16.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="8" diff --git a/dev-lang/php/php-8.2.0.ebuild b/dev-lang/php/php-8.2.3.ebuild index f316a161e5cf..b67b15fa8e18 100644 --- a/dev-lang/php/php-8.2.0.ebuild +++ b/dev-lang/php/php-8.2.3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="8" |