Unified diff?

How do one install "unified diffs" [under FreeBSD 4.6]? I'm trying to apply the new patch in php regarding vulnerabilities in HTTP POST.

For that patch you need to place the src for both version in same dir (i.e. /usr/local/src/php-4.2.1 and /usr/local/src/php-4.2.2). You then cd to /usr/local/src and run patch -p1 < php-4.2.1-to-4.2.2.patch

Ah thanks man, you're a life-saver. They should give you a lifetime achievement award =)

Actually it's rather simple to figure out how to apply that patch.
Let's start from the top:
That --- implies old or original version that you want to replace. The +++ is the new version. You should notice that php-4.2.1 doesn't begin with a slash, therefore IT'S A RELATIVE PATH to particular dir. When you look at php-4.2.2 it as well is using RELATIVE PATH. That's why you'd place them into the same dir and apply the patch from their dir (one level up).

In *BSDs when you want to apply some security patches the default location is /usr/src where you should cd'd to. Where your patch locates doesn't make any difference. Say it's in /root/security.patch just cd to /usr/src and run patch -p1 < /root/security.patch.

Thanks for the extra info, it's always appreciated.

The script asked some questions about which files to patch.. I got them right (i think, the patch ended with "patch successful" or something like that anyway). But I thought the patch should know what files to update by itself(?).
Do I need to recompile php also? Cause phpinfo() still says 4.2.1. I thought that was the advantage of these patches that you didn't have to recompile.


EDIT: Damnit. Now I remember building apache with php4 compiled in. Was that as stupid as I think (now) it was? Is there some way to disable the builtin php-support (4.2.1) in apache (1.3.26) and run php (4.2.2) as a module?

No. BTW, I thought you are running FreeBSD. Why didn't you install Apache/mod_php4 via the ports tree?

Yup, running FreeBSD. I did it because I thought ports didn't track the latest versions of every software in those ports. I thought they only were packaged and distributed with the official releases of the core FreeBSD. Hence anyway needing to compile it for myself when exploits are surfaced.

So you recommend un-installing (somehow?) the apache+php4 I compiled, and using the ports instead?

Because you need to cvsup it via a cronjob.


Yes, but maybe next time. The only difference is that, the ports tree uses DSO method, which is the recommend way these days.

So just use ports on anything when it's available.

Ah, I actually thought about using the DSO method instead, cause of the portability, but didn't realize that things like this [the exploit] would be an issue. I'm learning as I go along. But it's a good lesson, I'll try to think outside the box next time
Thanks for all your help, expertise, and speedy responses.