Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27397
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.132.249 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=rxzYYgGF2WH9ZC2iosCC4euIMhBmASWBgi0m3OOzOTf9W7wPNzyDEPPdtNfsRDvveP+7jq8NCrf8couLCrTChpu1IEreM1Nd7rCl9pP8VOeh0RK/Nw9K5tfnI2kWmJX0HjnH6NQO/5gT/9X9wADdOCXN9dyNE3EQBsZ7mERicNo=
Message-ID: <fe05d1540701120614m1f7b6845rb4d11cc5377a9824@mail.gmail.com>
Date: Fri, 12 Jan 2007 15:14:10 +0100
To: "Stefan Esser" <sesser@hardened-php.net>
Cc: "Alain Williams" <addw@phcomp.co.uk>, internals@lists.php.net, 
	kel@securityfocus.com, security@php.net
In-Reply-To: <fe05d1540701110827j4593dbddr28ef89feb6b01949@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070111144144.GV15998@mint.phcomp.co.uk>
	 <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net>
	 <fe05d1540701110814u3f8de1ber4329d9c9c2a6e201@mail.gmail.com>
	 <45A66391.1090302@hardened-php.net>
	 <fe05d1540701110827j4593dbddr28ef89feb6b01949@mail.gmail.com>
Subject: Re: [PHP-DEV] Comments on PHP security
From: pierre.php@gmail.com (Pierre)

On 1/11/07, Pierre <pierre.php@gmail.com> wrote:
> Hi Stefan,
>
> On 1/11/07, Stefan Esser <sesser@hardened-php.net> wrote:
> >
> > > For your information, zip is not enabled by default. If you have a
> > > bug/issue about the specific zip:// URL, please let me know. Ilia and
> > > Tony already fixed some paths fixes and the fixes are available in
> > > zip-1.8.4. They will be in 5.2.1.
> > For your information Pierre: Security Bugs in PHP are usually found by
> > me. So guess twice WHO told security@php.net that there are
> > bufferoverflows in zip:// URLs and WHY there have been bugfixes to ext/zip.
>
> No idea who posted them or if someone posted something about zip. As
> you know I have no access to security@ and so far all I see are
> commits in my packages without much explanations. Not like I do not
> want you or anyone else to help or to do not give you the credits. But
> I did not know that someone else reported the issues, I apologize for
> that.
>
> > BTW: Last time I checked, popular packages like dotdeb PHP activate
> > ext/zip by default...
> >
> > And yes... Also prepare for the ***more than 30 vulnerabilities*** I
> > disclosed to security@php.net during the last 3 weeks.
>
> Nice, better later than never. Remember my numerous requests in the
> last months *BEFORE* the stable release (and you were still a PHP
> Securtiy member)?

After having received the info (Thanks to Rasmus and Ilia), I can say
that only one flaw was related to the _active_ zip extension (zip://
used with huge path). This flaw is already fixed in php-src and the
last PECL release (1.8.4) contains the fix as a release has been done
2 days after I saw the commit. That does not mean there is no other
but that is the only known issue and it is now fixed.

The active branch is available in PECL (latest version is 1.8.4) and
from PHP 5.2.0 or earlier. This extension is 100% backward compatible
with the old API but with a complete new implementation. If any linux
distribution still provides php4 packages, I can only recommend to use
this new version instead of the old and unmaintained code (or even
better, drop php4).

I hope things are clearer now.

--Pierre