hi everyone,

i'm looking for a sanity check here, as i've already lost more time than
i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(

afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed
to be fixed in 5.2.7.

while the zip library no longer blindly extracts files such as
"../../../var/www/index.php", it now seems to segfault on any files
that have a leading "..". I've put some sample code illustrating my
problem at[2]. am i on crack?

a backtrace points to virtual_file_ex() returning an unchecked error in
php_zip_extract_file(). it looks like there *might* have been a fix in the 5.3
branch, but it was surrounded by so much other noise that i'm not sure.
i guess someone here knows better than me what's going on. it doesn't seem
exploitable for more than a DoS at first glance, but i'll defer to the experts
on that as well.


[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658
[2] http://people.debian.org/~seanius/php/security/ziptest.tgz

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 6 | next ›
Discussion Overview
groupphp-internals @
postedJan 21, '09 at 9:57p
activeJan 23, '09 at 8:06a

2 users in discussion

Sean finney: 4 posts Pierre Joye: 2 posts



site design / logo © 2022 Grokbase