hi everyone,
i'm looking for a sanity check here, as i've already lost more time than
i'd like chasing ghosts on my treasure hunt through {bugs,lists,cvs}.php.net :(
afaict, CVE-2008-5658[1] is only half-fixed on 5.2.8, while it was supposed
to be fixed in 5.2.7.
while the zip library no longer blindly extracts files such as
"../../../var/www/index.php", it now seems to segfault on any files
that have a leading "..". I've put some sample code illustrating my
problem at[2]. am i on crack?
a backtrace points to virtual_file_ex() returning an unchecked error in
php_zip_extract_file(). it looks like there *might* have been a fix in the 5.3
branch, but it was surrounded by so much other noise that i'm not sure.
i guess someone here knows better than me what's going on. it doesn't seem
exploitable for more than a DoS at first glance, but i'll defer to the experts
on that as well.
sean
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658
[2] http://people.debian.org/~seanius/php/security/ziptest.tgz
--
signature.asc
Description: Digital signature
