head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2;
locks; strict;
comment	@# @;


1.2
date	2010.12.13.13.16.37;	author taca;	state dead;
branches;
next	1.1;

1.1
date	2010.11.25.03.43.50;	author taca;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update lang/php53 package to 5.3.4 (PHP 5.3.4).


The PHP development team is proud to announce the immediate release of PHP
5.3.4. This is a maintenance release in the 5.3 series, which includes a large
number of bug fixes.

Security Enhancements and Fixes in PHP 5.3.4:

* Fixed crash in zip extract method (possible CWE-170).
* Paths with NULL in them (foo\0bar.txt) are now considered as invalid
  (CVE-2006-7243).
* Fixed a possible double free in imap extension (Identified by Mateusz
  Kocielski). (CVE-2010-4150).
* Fixed NULL pointer dereference in
  ZipArchive::getArchiveComment. (CVE-2010-3709).
* Fixed possible flaw in open_basedir (CVE-2010-3436).
* Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
* Fixed symbolic resolution support when the target is a DFS share.
* Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with
  large amount of data) (CVE-2010-3710).

Key Bug Fixes in PHP 5.3.4 include:

* Added stat support for zip stream.
* Added follow_location (enabled by default) option for the http stream
  support.
* Added a 3rd parameter to get_html_translation_table. It now takes a charset
  hint, like htmlentities et al.
* Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend
  multibyte at runtime.
* Multiple improvements to the FPM SAPI.
* Over 100 other bug fixes.

For users upgrading from PHP 5.2 there is a migration guide available here,
detailing the changes between those releases and PHP 5.3.

For a full list of changes in PHP 5.3.4, see the ChangeLog. For source
downloads please visit our downloads page, Windows binaries can be found on
windows.php.net/download/.
@
text
@$NetBSD: patch-an,v 1.1 2010/11/25 03:43:50 taca Exp $

Fix for CVE-2010-3710 (a part of http://secunia.com/advisories/41724/):

	http://svn.php.net/viewvc?view=revision&revision=303779

--- ext/filter/logical_filters.c.orig	2010-04-02 18:27:48.000000000 +0000
+++ ext/filter/logical_filters.c
@@@@ -531,6 +531,11 @@@@ void php_filter_validate_email(PHP_INPUT
 	int         matches;
 
 
+	/* The maximum length of an e-mail address is 320 octets, per RFC 2821. */
+	if (Z_STRLEN_P(value) > 320) {
+		RETURN_VALIDATION_FAILED
+	}
+
 	re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC);
 	if (!re) {
 		RETURN_VALIDATION_FAILED
@


1.1
log
@
- GC bug fix: http://svn.php.net/viewvc?view=revision&revision=303016
- CVE-2010-3710 (a part of SA41724)
	http://svn.php.net/viewvc?view=revision&revision=303779
- CVE-2010-3870 (a part of SA41724)
	http://svn.php.net/viewvc?view=revision&revision=304959
- CVE-2010-4150 (php-imap)
	http://svn.php.net/viewvc?view=revision&revision=305032
- CVE-2010-4156 (SA42135)
	http://svn.php.net/viewvc?view=revision&revision=305214

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@