PHP 4.4.4 Release Announcement

This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.

This release provides the following security fixes:

* Added missing safe_mode/open_basedir checks inside the error_log(),
  file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.

www/php4/Makefile.common

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.53 2006/08/10 23:01:40 adrianp Exp $
+# $NetBSD: Makefile.common,v 1.54 2006/08/20 09:44:59 adrianp Exp $
 
 DISTNAME?=		php-${PHP_DIST_VERS}
 CATEGORIES+=		www php4
@@ -18,7 +18,7 @@ HOMEPAGE?=		http://www.php.net/
 # PHP_DIST_VERS		version number on the php distfile
 # PHP_BASE_VERS		pkgsrc-mangled version number (convert pl -> .)
 #
-PHP_DIST_VERS=		4.4.3
+PHP_DIST_VERS=		4.4.4
 PHP_BASE_VERS=		${PHP_DIST_VERS}
 
 DISTFILES?=		${PHP_DISTFILE}

www/php4/distinfo

@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.56 2006/08/10 23:01:40 adrianp Exp $
+$NetBSD: distinfo,v 1.57 2006/08/20 09:44:59 adrianp Exp $
 
-SHA1 (php-4.4.3.tar.bz2) = 42aec56fec03c13366c0b0aac13169138814a4b5
-RMD160 (php-4.4.3.tar.bz2) = 36c91930af44e8a1ed59eb159e6131ae8f0c77f0
-Size (php-4.4.3.tar.bz2) = 4461353 bytes
+SHA1 (php-4.4.4.tar.bz2) = 05d62910fb5734344db87f0a17b1e8e001b26b05
+RMD160 (php-4.4.4.tar.bz2) = 02fd7d5135a9e5ce11d905a4a474a5d42b8441f3
+Size (php-4.4.4.tar.bz2) = 4478698 bytes
 SHA1 (patch-aa) = feb064407950d0fc732b7240e65cac84420d2407
 SHA1 (patch-ab) = 38a4bcd0d65b26c5d8e54e22b552f60831188469
 SHA1 (patch-ad) = 9ca5d2f59bfeea77a98cd0e727546d11669114cd
@@ -15,4 +15,3 @@ SHA1 (patch-al) = 28ad9006b387e2b9984ad49beea21c9d46e63b46
 SHA1 (patch-ao) = 0fd4becf023451ac8cb185df354830efc86c1344
 SHA1 (patch-ap) = 2f852abd1e9d0f089add18b2eade2831253ad00e
 SHA1 (patch-at) = f8b3aebd61fe2d5b5a994e1d973424a1ed397f63
-SHA1 (patch-aw) = f8e2f36a4d9bb4a60d255127ac5984c33ea74841

www/php4/patches/patch-aw

@@ -1,83 +0,0 @@
---- ext/standard/scanf.c.orig	2006-01-01 13:46:58.000000000 +0000
-+++ ext/standard/scanf.c	2006-08-10 23:00:19.000000000 +0100
-@@ -732,7 +732,7 @@
-                 if (*end == '$') {
-                     format = end+1;
-                     ch = format++;
--                    objIndex = varStart + value;
-+                    objIndex = varStart + value - 1;
-                 }
-          }
- 
-@@ -762,8 +762,10 @@
-         switch (*ch) {
-             case 'n':
-                 if (!(flags & SCAN_SUPPRESS)) {
--                    if (numVars) {
--						current = args[objIndex++];
-+                    if (numVars && objIndex >= argCount) {
-+                        break;
-+                    } else if (numVars) {
-+                        current = args[objIndex++];
-                         zval_dtor( *current );
-                         ZVAL_LONG( *current, (long)(string - baseString) );
-                     } else {
-@@ -883,8 +885,10 @@
-                 }
-             }
-             if (!(flags & SCAN_SUPPRESS)) {
--                if (numVars) {
--                    current = args[objIndex++];
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-+					current = args[objIndex++];
- 					zval_dtor( *current );
- 					ZVAL_STRINGL( *current, string, end-string, 1);
-                 } else {
-@@ -922,7 +926,9 @@
-                 goto done;
-             }
-             if (!(flags & SCAN_SUPPRESS)) {
--                if (numVars) {
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-                     current = args[objIndex++];
-                     zval_dtor( *current );
-                     ZVAL_STRINGL( *current, string, end-string, 1);
-@@ -1079,8 +1085,10 @@
- 		    value = (int) (*fn)(buf, NULL, base);
- 		    if ((flags & SCAN_UNSIGNED) && (value < 0)) {
-                 sprintf(buf, "%u", value); /* INTL: ISO digit */
--                if (numVars) {
--                  /* change passed value type to string */
-+                if (numVars && objIndex >= argCount) {
-+                   break;
-+                } else if (numVars) {
-+                   /* change passed value type to string */
-                    current = args[objIndex++];
-                    convert_to_string( *current );
-                    ZVAL_STRING( *current, buf, 1 );
-@@ -1088,7 +1096,9 @@
-                     add_index_string(*return_value, objIndex++, buf, 1);
-                 }
-             } else {
--                if (numVars) {
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-                     current = args[objIndex++];
-                     convert_to_long( *current );
-                     Z_LVAL(**current) = value;
-@@ -1196,7 +1206,9 @@
- 		    double dvalue;
- 		    *end = '\0';
- 		    dvalue = zend_strtod(buf, NULL);
--            if (numVars) {
-+            if (numVars && objIndex >= argCount) {
-+                break;
-+            } else if (numVars) {
-                 current = args[objIndex++];
-                 convert_to_double( *current );
-                 Z_DVAL_PP( current ) = dvalue;