Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:42765 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83250 invoked from network); 22 Jan 2009 07:12:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Jan 2009 07:12:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=sean@seanius.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=seanius@debian.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: sean@seanius.net X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Received: from [66.93.22.232] ([66.93.22.232:56885] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DE/07-19181-35C18794 for ; Thu, 22 Jan 2009 02:12:20 -0500 Received: from rangda.stickybit.se (h-234-204.A189.priv.bahnhof.se [81.170.234.204]) by cobija.connexer.com (Postfix) with ESMTP id AC69A17C40A; Thu, 22 Jan 2009 02:12:16 -0500 (EST) Received: by rangda.stickybit.se (Postfix, from userid 1000) id 94D7A10501; Thu, 22 Jan 2009 08:12:09 +0100 (CET) Date: Thu, 22 Jan 2009 08:12:09 +0100 To: Pierre Joye Cc: PHP internals , Debian PHP Maintainers , Stefan Esser Message-ID: <20090122071209.GA5113@rangda.stickybit.se> References: <20090121215750.GC15208@rangda.stickybit.se> <20090121215750.GC15208@rangda.stickybit.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: [PHP-DEV] CVE-2008-5658 unfixed or new problem with Zip::extractTo in 5.2.x? From: seanius@debian.org (sean finney) --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi pierre sorry, was already asleep when you came looking for me on IRC :) On Wed, Jan 21, 2009 at 11:25:21PM +0100, Pierre Joye wrote: > it is fixed in 5.2.7RC2 or RC3, see: > http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=3D1.1.2.43&r2= =3D1.1.2.44 FSVO "fixed" that includes segfaulting, anyway :) > No idea, can you open a bug and post the backtrace, a zip data to > reproduce the problem and a simple script please? Simply post the > links you gave here. I will take a look at them as soon as possible. http://bugs.php.net/47188 On Thu, Jan 22, 2009 at 12:54:38AM +0100, Pierre Joye wrote: > But it crashes in 5.2, it seems to be a problem in virtual_file_ex, it > return an empty string instead of the expected path. /* Resolve path relatively to state and put the real path into state */ /* returns 0 for ok, 1 for error */ and it's returning 1 in this case, so it's an unhandled error, which is then also unhandled in php_zip_extract_file, as previously suggested. > Can you try the attached patch please? against 5.2. I backported the > necessary functions from TSRM and removed what we do not use. It > should fix the problem. sadly, i think there's been too much change in TSRM etc between 5.2<->5.3, so more functions would need to be backported afaict. maybe it'd be better to try and figure out why the existing virtual_file_ex doesn't like this filename, since it might affect other codepaths too? rangda[/home/sean/Desktop/php-5.2.8] make = :) ... /bin/sh /home/sean/Desktop/php-5.2.8/libtool --silent --preserve-dup-deps -= -mode=3Dcompile gcc -Iext/zip/ -I/home/sean/Desktop/php-5.2.8/ext/zip/ -DP= HP_ATOM_INC -I/home/sean/Desktop/php-5.2.8/include -I/home/sean/Desktop/php= -5.2.8/main -I/home/sean/Desktop/php-5.2.8 -I/usr/include/libxml2 -I/home/s= ean/Desktop/php-5.2.8/ext/date/lib -I/home/sean/Desktop/php-5.2.8/TSRM -I/h= ome/sean/Desktop/php-5.2.8/Zend -g -O0 -c /home/sean/Desktop/php-5.2.8/= ext/zip/php_zip.c -o ext/zip/php_zip.lo=20 /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175:39: error: macro "tsrm_d= o_alloca" passed 2 arguments, but takes just 1 /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c: In function 'php_zip_realpa= th_r': /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: 'tsrm_do_alloca'= undeclared (first use in this function) /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: (Each undeclared= identifier is reported only once /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:175: error: for each functio= n it appears in.) /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:207:35: error: macro "tsrm_f= ree_alloca" passed 2 arguments, but takes just 1 /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:207: error: 'tsrm_free_alloc= a' undeclared (first use in this function) /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:215:33: error: macro "tsrm_f= ree_alloca" passed 2 arguments, but takes just 1 /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c: In function 'php_zip_extrac= t_file': /home/sean/Desktop/php-5.2.8/ext/zip/php_zip.c:487: warning: passing argume= nt 6 of 'php_basename' from incompatible pointer type make: *** [ext/zip/php_zip.lo] Error 1 rangda[/home/sean/Desktop/php-5.2.8] [2= ] :( sean --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJeBxJynjLPm522B0RAh/lAJ4s6WtDqDA5F6VSDD/XPlzBfx5OlQCfVcyZ 3AKytW7YF2DEBqIeOc/jbP0= =UDB1 -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/--