[php-maint] Re: research for recent PHP security vulnerabilities

Moritz Muehlenhoff jmm at inutil.org
Thu Sep 7 22:11:56 UTC 2006

sean finney wrote:
> On Thu, 2006-09-07 at 22:25 +0200, Moritz Muehlenhoff wrote:
> > What about CVE-2006-0931? This seems to come from php-pear from
> > the php4 source package.
> i believe the consensus was that this is not a vulnerability in
> php4/pear, but in any application that doesn't check input tarfiles
> for sanity before extracting them.  an analog would be webform taking
> an upload file and a path, and not checking the path for stuff like
> ".." before putting it there.

I agree.


More information about the pkg-php-maint mailing list