[php-maint] [PHP-DEV] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x?

Pierre Joye pierre.php at gmail.com
Wed Jan 21 23:54:38 UTC 2009 

re,

I ran a quick test to solve this problem sooner rather than later
(using only the crash.zip part):

pierre at ubuntu:~/cvs/php53/bld$ ./sapi/cli/php ./ziptest.php
opening 'bad' zipfile...ok.
extracted.


C:\Users\pierre\Documents\php-sdk\php53\vc9\x86\php53clean>Debug\php.exe
ziptest.php
opening 'bad' zipfile...ok.
extracted.

But it crashes in 5.2, it seems to be a problem in virtual_file_ex, it
return an empty string instead of the expected path.

Can you try the attached patch please? against 5.2. I backported the
necessary functions from TSRM and removed what we do not use. It
should fix the problem.

Cheers,

On Wed, Jan 21, 2009 at 11:25 PM, Pierre Joye <pierre.php at gmail.com> wrote:
> hi,
>
> On Wed, Jan 21, 2009 at 10:57 PM, sean finney <seanius at debian.org> wrote:
>> hi everyone,
>>
>> i'm looking for a sanity check here, as i've already lost more time than
>> i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(
>>
>> afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed
>> to be fixed in 5.2.7.
>
> it is fixed in 5.2.7RC2 or RC3, see:
> http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.43&r2=1.1.2.44
>
>> while the zip library no longer blindly extracts files such as
>> "../../../var/www/index.php", it now seems to segfault on any files
>> that have a leading "..".  I've put some sample code illustrating my
>> problem at[2].  am i on crack?
>
> No idea, can you open a bug and post the backtrace, a zip data to
> reproduce the problem and a simple script please? Simply post the
> links you gave here. I will take a look at them as soon as possible.
>
> Thanks for the report!
>
> Cheers,
> --
> Pierre
>
> http://blog.thepimp.net | http://www.libgd.org
>



-- 
Pierre

http://blog.thepimp.net | http://www.libgd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: php_zip.c.crash.patch,txt.patch
Type: application/octet-stream
Size: 9560 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090122/f9eb19f0/attachment.obj

More information about the pkg-php-maint mailing list