Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:42758 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48381 invoked from network); 21 Jan 2009 21:57:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jan 2009 21:57:58 -0000 Authentication-Results: pb1.pair.com header.from=seanius@debian.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sean@seanius.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: sean@seanius.net X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Received: from [66.93.22.232] ([66.93.22.232:44548] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 59/90-19181-36A97794 for ; Wed, 21 Jan 2009 16:57:56 -0500 Received: from rangda.stickybit.se (h-234-204.A189.priv.bahnhof.se [81.170.234.204]) by cobija.connexer.com (Postfix) with ESMTP id 3F30117C40A; Wed, 21 Jan 2009 16:57:52 -0500 (EST) Received: by rangda.stickybit.se (Postfix, from userid 1000) id 4558710501; Wed, 21 Jan 2009 22:57:50 +0100 (CET) Date: Wed, 21 Jan 2009 22:57:50 +0100 To: PHP internals Cc: Debian PHP Maintainers , Stefan Esser Message-ID: <20090121215750.GC15208@rangda.stickybit.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x? From: seanius@debian.org (sean finney) --S1BNGpv0yoYahz37 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi everyone, i'm looking for a sanity check here, as i've already lost more time than i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.ne= t :( afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed to be fixed in 5.2.7. =20 while the zip library no longer blindly extracts files such as "../../../var/www/index.php", it now seems to segfault on any files that have a leading "..". I've put some sample code illustrating my problem at[2]. am i on crack? a backtrace points to virtual_file_ex() returning an unchecked error in php_zip_extract_file(). it looks like there *might* have been a fix in the= 5.3 branch, but it was surrounded by so much other noise that i'm not sure. i guess someone here knows better than me what's going on. it doesn't seem exploitable for more than a DoS at first glance, but i'll defer to the expe= rts on that as well. sean [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-5658 [2] http://people.debian.org/~seanius/php/security/ziptest.tgz --=20 --S1BNGpv0yoYahz37 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJd5peynjLPm522B0RAtWKAJ9xlurnLYG5W/kksa56x2x8+s3u2QCeMV09 wlOTTHncD168e9NNsCAN4yk= =VpoC -----END PGP SIGNATURE----- --S1BNGpv0yoYahz37--