[php-maint] Re: research for recent PHP security vulnerabilities
Moritz Muehlenhoff
jmm at inutil.org
Thu Sep 7 22:11:56 UTC 2006
sean finney wrote:
> On Thu, 2006-09-07 at 22:25 +0200, Moritz Muehlenhoff wrote:
> > What about CVE-2006-0931? This seems to come from php-pear from
> > the php4 source package.
>
> i believe the consensus was that this is not a vulnerability in
> php4/pear, but in any application that doesn't check input tarfiles
> for sanity before extracting them. an analog would be webform taking
> an upload file and a path, and not checking the path for stuff like
> ".." before putting it there.
I agree.
Cheers,
Moritz
More information about the pkg-php-maint
mailing list