Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42760
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57312 invoked from network); 21 Jan 2009 22:25:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jan 2009 22:25:25 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.21 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.219.21 mail-ew0-f21.google.com  
Received: from [209.85.219.21] ([209.85.219.21:36075] helo=mail-ew0-f21.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B1/52-19181-4D0A7794 for <internals@lists.php.net>; Wed, 21 Jan 2009 17:25:24 -0500
Received: by ewy14 with SMTP id 14so2125851ewy.23
        for <internals@lists.php.net>; Wed, 21 Jan 2009 14:25:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=9nRr0YhvjI1AWBZpE8DqUj2KNITaqxOBNU5OIljrFlM=;
        b=n0xX5OdsAx/F7bb5Ew14kp8TgPc6A6MPVVoXK2kU0CF4mTc6MZ3Eyj4eK0NhL9RKkA
         FRj2JEpUP/GhwLKb4tBF0L70O10HTDVvp4lSOS5fuT2DHIgbd8v7jyvva+Fm8yFscDaA
         usZNZQrr1rYxyVffVzE4A3OwPGTqChdirxfak=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        b=JN46Zhcfcf9Z0ZReBKjGW6OcjUtha8C4X/vKhbF9FO7xpL5ZUOwMmuAs7MpYyTqp/d
         qbITqZim4Wr4qH3eEPl7IFRb/n74/wTO5mojudc8r0fXEsxjAwcoXZVV+rM/VdOyflWp
         au1SzWdd83Y7ZLqsWDXDvmsYE35FOn+twT+s8=
MIME-Version: 1.0
Received: by 10.86.70.3 with SMTP id s3mr192178fga.25.1232576721419; Wed, 21 
	Jan 2009 14:25:21 -0800 (PST)
In-Reply-To: <20090121215750.GC15208@rangda.stickybit.se>
References: <20090121215750.GC15208@rangda.stickybit.se>
Date: Wed, 21 Jan 2009 23:25:21 +0100
Message-ID: <fe05d1540901211425t2b72592ep755f09ffeb34dc49@mail.gmail.com>
To: sean finney <seanius@debian.org>
Cc: PHP internals <internals@lists.php.net>, 
	Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>, 
	Stefan Esser <sesser@hardened-php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] CVE-2008-5658 unfixed or new problem with 
	Zip::extractTo in 5.2.x?
From: pierre.php@gmail.com (Pierre Joye)

hi,

On Wed, Jan 21, 2009 at 10:57 PM, sean finney <seanius@debian.org> wrote:
> hi everyone,
>
> i'm looking for a sanity check here, as i've already lost more time than
> i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(
>
> afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed
> to be fixed in 5.2.7.

it is fixed in 5.2.7RC2 or RC3, see:
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.43&r2=1.1.2.44

> while the zip library no longer blindly extracts files such as
> "../../../var/www/index.php", it now seems to segfault on any files
> that have a leading "..".  I've put some sample code illustrating my
> problem at[2].  am i on crack?

No idea, can you open a bug and post the backtrace, a zip data to
reproduce the problem and a simple script please? Simply post the
links you gave here. I will take a look at them as soon as possible.

Thanks for the report!

Cheers,
-- 
Pierre

http://blog.thepimp.net | http://www.libgd.org