hi everyone, i'm looking for a sanity check here, as i've already lost more time than i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(
afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed to be fixed in 5.2.7. while the zip library no longer blindly extracts files such as "../../../var/www/index.php", it now seems to segfault on any files that have a leading "..". I've put some sample code illustrating my problem at[2]. am i on crack? a backtrace points to virtual_file_ex() returning an unchecked error in php_zip_extract_file(). it looks like there *might* have been a fix in the 5.3 branch, but it was surrounded by so much other noise that i'm not sure. i guess someone here knows better than me what's going on. it doesn't seem exploitable for more than a DoS at first glance, but i'll defer to the experts on that as well. sean [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 [2] http://people.debian.org/~seanius/php/security/ziptest.tgz --
signature.asc
Description: Digital signature