The first hunk of this patch is *mitigation* for use of bad wrappers
scripts which are vulnerable to CVE-2012-2335.

The second hunk of this patch fixes CVE-2012-2336:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2336

http://git.php.net/?p=php-src.git;a=commitdiff;h=7de4b75f74a817c3fead32710e04cd015bcc5360

--- php-5.3.3/sapi/cgi/cgi_main.c.cve2311
+++ php-5.3.3/sapi/cgi/cgi_main.c
@@ -1553,10 +1553,15 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if((query_string = getenv("QUERY_STRING")) != NULL) {
+	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+		/* we've got query string that has no = - apache CGI will pass it to command line */
+		unsigned char *p;
 		decoded_query_string = strdup(query_string);
 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
-		if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
+		for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
+			/* skip all leading spaces */
+		}
+		if(*p == '-') {
 			skip_getopt = 1;
 		}
 		free(decoded_query_string);
@@ -1811,7 +1816,7 @@ consult the installation file that came 
 	}
 
 	zend_first_try {
-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+		while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
 			switch (c) {
 				case 'T':
 					benchmark = 1;