On 1/11/07, Pierre <[EMAIL PROTECTED]> wrote:
Hi Stefan,
On 1/11/07, Stefan Esser <[EMAIL PROTECTED]> wrote:
>
> > For your information, zip is not enabled by default. If you have a
> > bug/issue about the specific zip:// URL, please let me know. Ilia and
> > Tony already fixed some paths fixes and the fixes are available in
> > zip-1.8.4. They will be in 5.2.1.
> For your information Pierre: Security Bugs in PHP are usually found by
> me. So guess twice WHO told [EMAIL PROTECTED] that there are
> bufferoverflows in zip:// URLs and WHY there have been bugfixes to ext/zip.
No idea who posted them or if someone posted something about zip. As
you know I have no access to security@ and so far all I see are
commits in my packages without much explanations. Not like I do not
want you or anyone else to help or to do not give you the credits. But
I did not know that someone else reported the issues, I apologize for
that.
> BTW: Last time I checked, popular packages like dotdeb PHP activate
> ext/zip by default...
>
> And yes... Also prepare for the ***more than 30 vulnerabilities*** I
> disclosed to [EMAIL PROTECTED] during the last 3 weeks.
Nice, better later than never. Remember my numerous requests in the
last months *BEFORE* the stable release (and you were still a PHP
Securtiy member)?
After having received the info (Thanks to Rasmus and Ilia), I can say
that only one flaw was related to the _active_ zip extension (zip://
used with huge path). This flaw is already fixed in php-src and the
last PECL release (1.8.4) contains the fix as a release has been done
2 days after I saw the commit. That does not mean there is no other
but that is the only known issue and it is now fixed.
The active branch is available in PECL (latest version is 1.8.4) and
from PHP 5.2.0 or earlier. This extension is 100% backward compatible
with the old API but with a complete new implementation. If any linux
distribution still provides php4 packages, I can only recommend to use
this new version instead of the old and unmaintained code (or even
better, drop php4).
I hope things are clearer now.
--Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
