pajoye Tue, 30 Nov 2010 11:04:06 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=305848
Log:
Fixed crash in zip extract method (possible CWE-170)
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/zip/php_zip.c
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/zip/php_zip.c
U php/php-src/trunk/ext/zip/php_zip.c
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2010-11-30 10:20:33 UTC (rev 305847)
+++ php/php-src/branches/PHP_5_2/NEWS 2010-11-30 11:04:06 UTC (rev 305848)
@@ -5,6 +5,8 @@
EXTR_OVERWRITE. (jorto at redhat dot com)
18 Nov 2010, PHP 5.2.15RC1
+- Fixed crash in zip extract method (possible CWE-170).
+ (Maksymilian Arciemowicz, Pierre)
- Fixed a possible double free in imap extension (Identified by Mateusz
Kocielski). (CVE-2010-4150). (Ilia)
- Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
Modified: php/php-src/branches/PHP_5_2/ext/zip/php_zip.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/zip/php_zip.c 2010-11-30 10:20:33 UTC
(rev 305847)
+++ php/php-src/branches/PHP_5_2/ext/zip/php_zip.c 2010-11-30 11:04:06 UTC
(rev 305848)
@@ -413,6 +413,9 @@
return 0;
}
path_cleaned = php_zip_make_relative_path(new_state.cwd,
new_state.cwd_length);
+ if(!path_cleaned) {
+ return 0;
+ }
path_cleaned_len = strlen(path_cleaned);
if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-11-30 10:20:33 UTC (rev 305847)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-11-30 11:04:06 UTC (rev 305848)
@@ -49,6 +49,8 @@
- Upgraded bundled PCRE to version 8.10. (Ilia)
- Security enhancements:
+ . Fixed crash in zip extract method (possible CWE-170).
+ (Maksymilian Arciemowicz, Pierre)
. Paths with NULL in them (foo\0bar.txt) are now considered as invalid.
(Rasmus)
. Fixed a possible double free in imap extension (Identified by Mateusz
Kocielski). (CVE-2010-4150). (Ilia)
Modified: php/php-src/branches/PHP_5_3/ext/zip/php_zip.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/zip/php_zip.c 2010-11-30 10:20:33 UTC
(rev 305847)
+++ php/php-src/branches/PHP_5_3/ext/zip/php_zip.c 2010-11-30 11:04:06 UTC
(rev 305848)
@@ -162,6 +162,9 @@
*/
virtual_file_ex(&new_state, file, NULL, CWD_EXPAND);
path_cleaned = php_zip_make_relative_path(new_state.cwd,
new_state.cwd_length);
+ if(!path_cleaned) {
+ return 0;
+ }
path_cleaned_len = strlen(path_cleaned);
if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
Modified: php/php-src/trunk/ext/zip/php_zip.c
===================================================================
--- php/php-src/trunk/ext/zip/php_zip.c 2010-11-30 10:20:33 UTC (rev 305847)
+++ php/php-src/trunk/ext/zip/php_zip.c 2010-11-30 11:04:06 UTC (rev 305848)
@@ -162,6 +162,9 @@
*/
virtual_file_ex(&new_state, file, NULL, CWD_EXPAND TSRMLS_CC);
path_cleaned = php_zip_make_relative_path(new_state.cwd,
new_state.cwd_length);
+ if(!path_cleaned) {
+ return 0;
+ }
path_cleaned_len = strlen(path_cleaned);
if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
