Source: php5 Version: 5.2.0-1 Severity: important Tags: security Hi,
The following advisory has been published. SE-2008-06.txt[1]: > [...] it > was discovered that ZipArchive::extractTo() does not flatten > the filenames stored inside the zip archives. > > Therefore it is possible to create zip archives containing > relative filenames that when unpacked will create or overwrite > files outside of the temporary directory. > > In the applications like the one in question this results in > a remote PHP code execution vulnerability, because we are > able to drop new PHP files in writable directories within > the webserver's document root directory. The diffstat between the code of 5.2.6 and PHP_5_2 is huge[2], and attempting to use libzip is of no use because it: a) is impossible due to PHP-specific changes in the lib, and b) libzip doesn't fix the problem[3]. Note: after a quick search for the usage of the vulnerable method I found no match in the 14 packages in sid I checked. [1] http://www.sektioneins.de/advisories/SE-2008-06.txt [2] 71 files changed, 1489 insertions(+), 1084 deletions(-) [3] The bug is specific to the application using the library, not the library itself. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.

