[NCLUG] PHP patch

[Michael Dwyer]

> I'm wanting to patch my php install in light of the recent buffer overflow
> bug.

Can you find the original SRPM?  If you can, you can probably add the
required patch in somehow, and let it build you a new RPM...  

If nothing else, building PHP isn't /that/ difficult... The ./configure
list is a mile long, but normally, the options you need are pretty
aparent.  The config from last time I built was:

./configure  --with-apache=../apache_1.3.14 --with-mysql=/usr/local
--with-imap=../imap-2000a

Mind you, I build PHP into apache, and don't use loadable modules.  Your
mileage, as always, may vary.

Also, I believe that the problem is related to file-upload.  You may be
able to do a workaround by disabling upload. Read the advisory to be
sure, though... 

> There isn't a patch for that version only 4.06 and 4.1, and nothing to get
> from 4.03 to 4.06.  So I am going to attempt a new compile.

Is there a reason you need to stay a 4.03?  It might be better for you
all around to go to 4.1 -- I believe there have been a number of other
security fixes to PHP4 of late...

> Questions:
> I don't have any idea what options were enabled in the Mandrake install of
> PHP.  My site is working the way I want it so I don't want to break anything
> with a new compile.
> What is the best way to do this so I don't end up spending all weekend
> fixing my stupid mistakes, or so I can get back to my working configuration.

I would almost bet that a move from 4.03 to 4.1 (?) would be easier for
you than trying to patch.  Here is what I would do:

rpm -U -v php.rpm

If everything works, then the problem is solved, and you are done.
(Hopefully...)

If not, then back out this patch, reinstall the RPM on your install
disks, and consider the compile.

I don't think doing a recompile is /difficult/, but upgrading to a new
minor-version should be so painlessly simple that you wouldn't even
think of compiling.