[php-maint] [PHP-DEV] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x?

sean finney seanius at debian.org
Thu Jan 22 07:12:09 UTC 2009

hi pierre

sorry, was already asleep when you came looking for me on IRC :)

On Wed, Jan 21, 2009 at 11:25:21PM +0100, Pierre Joye wrote:
> it is fixed in 5.2.7RC2 or RC3, see:
> http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=

FSVO "fixed" that includes segfaulting, anyway :)

> No idea, can you open a bug and post the backtrace, a zip data to
> reproduce the problem and a simple script please? Simply post the
> links you gave here. I will take a look at them as soon as possible.


On Thu, Jan 22, 2009 at 12:54:38AM +0100, Pierre Joye wrote:
> But it crashes in 5.2, it seems to be a problem in virtual_file_ex, it
> return an empty string instead of the expected path.

/* Resolve path relatively to state and put the real path into state */
/* returns 0 for ok, 1 for error */

and it's returning 1 in this case, so it's an unhandled error, which is
then also unhandled in php_zip_extract_file, as previously suggested.

> Can you try the attached patch please? against 5.2. I backported the
> necessary functions from TSRM and removed what we do not use. It
> should fix the problem.

sadly, i think there's been too much change in TSRM etc between 5.2<->5.3,
so more functions would need to be backported afaict.  maybe it'd be
better to try and figure out why the existing virtual_file_ex doesn't
like this filename, since it might affect other codepaths too?

rangda[/home/sean/Desktop/php-5.2.8] make                                    :)
/bin/sh /home/sean/Desktop/php-5.2.8/libtool --silent --preserve-dup-deps --mode=compile gcc  -Iext/zip/ -I/home/sean/Desktop/php-5.2.8/ext/zip/ -DPHP_ATOM_INC -I/home/sean/Desktop/php-5.2.8/include -I/home/sean/Desktop/php-5.2.8/main -I/home/sean/Desktop/php-5.2.8 -I/usr/include/libxml2 -I/home/sean/Desktop/php-5.2.8/ext/date/lib -I/home/sean/Desktop/php-5.2.8/TSRM -I/home/sean/Desktop/php-5.2.8/Zend    -g -O0  -c /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c -o ext/zip/php_zip.lo 
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175:39: error: macro "tsrm_do_alloca" passed 2 arguments, but takes just 1
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c: In function 'php_zip_realpath_r':
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: 'tsrm_do_alloca' undeclared (first use in this function)
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: (Each undeclared identifier is reported only once
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: for each function it appears in.)
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:207:35: error: macro "tsrm_free_alloca" passed 2 arguments, but takes just 1
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:207: error: 'tsrm_free_alloca' undeclared (first use in this function)
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:215:33: error: macro "tsrm_free_alloca" passed 2 arguments, but takes just 1
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c: In function 'php_zip_extract_file':
/home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:487: warning: passing argument 6 of 'php_basename' from incompatible pointer type
make: *** [ext/zip/php_zip.lo] Error 1
rangda[/home/sean/Desktop/php-5.2.8]                                     [2] :(

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090122/d29df629/attachment.pgp 

More information about the pkg-php-maint mailing list