[php-maint] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x?

sean finney seanius at debian.org
Wed Jan 21 21:57:50 UTC 2009

hi everyone,

i'm looking for a sanity check here, as i've already lost more time than
i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(

afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed
to be fixed in 5.2.7.  

while the zip library no longer blindly extracts files such as
"../../../var/www/index.php", it now seems to segfault on any files
that have a leading "..".  I've put some sample code illustrating my
problem at[2].  am i on crack?

a backtrace points to virtual_file_ex() returning an unchecked error in
php_zip_extract_file().  it looks like there *might* have been a fix in the 5.3
branch, but it was surrounded by so much other noise that i'm not sure.
i guess someone here knows better than me what's going on.  it doesn't seem
exploitable for more than a DoS at first glance, but i'll defer to the experts
on that as well.


[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658
[2] http://people.debian.org/~seanius/php/security/ziptest.tgz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090121/7df35a20/attachment.pgp 

More information about the pkg-php-maint mailing list