In @Risk Volume: VI, Issue: 14, The Month of PHP Bugs (MOPB) is covered and it is mentioned that a patched version of php is available from OpenSuSE to address some of the bugs discovered. Since I use CentOS 4.4 (RHEL 4.4), I wanted to get these patches installed on php 5.2.1 on CentOS. Using the instructions at Utter Ramblings, I was able to do this.
Download the latest php source package from the Factory build of OpenSuSE. The version I used for these steps was php5-5.2.1-5.src.rpm, but the latest as of this posting is php5-5.2.1-6.src.rpm.
Install this source RPM and copy out the SPECS/php5.spec file and the SOURCES/php5-MOPB-*secfix.patch files to another directory. Remove all of the files from the SPECS and SOURCES directory (make sure there’s nothing in here from a previous build that you want to keep). Download and install the php source package from the Fedora Core project as detailed at Utter Ramblings. I am using php-5.2.1-3.src.rpm. Download the suhosin security patch from www.hardened-php.net to the SOURCES directory.
Switch to the SOURCES folder. Rename the php5-MOPB-*secfix.patch files to conform to the Fedora naming convention. I named them php5-5.2.1-mopbxx.patch, where xx is the bulletin number. This naming makes a difference when the patch is applied and must match the spec file we will be editing. The OpenSuSE packages apparently build in the root of the BUILD directory, and Fedora packages build under a directory named after the package source. So, each of the patch files must be fixed to reflect this. I am not an experienced Linux user, so I did this by manually editing each file with vi and executing the following commands :
:%s/--- /--- php-5.2.1\//g :%s/+++ /+++ php-5.2.1\//g
There is a quick vi reference at http://www.cs.colostate.edu/helpdocs/vi.html The nano command is detailed in the Utter Ramblings article and looks easier to use.
Now that those files are fixed, the SPECS/php.spec file needs to be edited. Towards the top of the file are some Patch lines. Comment out the line Patch9 by putting a # before it (it’s RedHat’s patch that conflicts with MOPB14 from OpenSuSE) and then add the following lines :
# OpenSUSE patches Patch10: php-5.2.1-mopb14.patch # see http://www.securityfocus.com/bid/22886 Patch11: php-5.2.1-mopb20.patch Patch12: php-5.2.1-mopb21.patch Patch13: php-5.2.1-mopb22.patch Patch14: php-5.2.1-mopb24.patch
And add the following for suhosin after all the patches (see for instructions) :
# Suhosin Patch100: suhosin-patch-5.2.1-0.9.6.2.patch
Then go down the file several pages to a %patch section. Comment out the %patch9 line and then add the following :
%patch10 -p1 -b .mopb14 %patch11 -p1 -b .mopb20 %patch12 -p1 -b .mopb21 %patch13 -p1 -b .mopb22 %patch14 -p1 -b .mopb24
and after all of the patches add this :
%patch100 -p1 -b .suhosin
Save the file and you are finally ready to build php. I needed to download, build, and upgrade the pcre-6.6 from Fedora Project first using the comments in the Utter Ramblings instructions. I then followed the normal Utter Ramblings instructions and did an rpmbuild -bb SPECS/php.spec. Then I also built the php-pear as directed.
Thanks to all of those in the community who support these projects!
(Updated @11:45 AM to include PCRE steps)
0 Responses to “Patching php 5.2.1 with MOPB fixes”