Source: php5
Version: 5.2.0-1
Severity: important
Tags: security

Hi,

The following advisory has been published.

SE-2008-06.txt[1]:
> [...] it
>   was discovered that ZipArchive::extractTo() does not flatten
>   the filenames stored inside the zip archives.
>
>   Therefore it is possible to create zip archives containing
>   relative filenames that when unpacked will create or overwrite
>   files outside of the temporary directory.
>
>   In the applications like the one in question this results in
>   a remote PHP code execution vulnerability, because we are
>   able to drop new PHP files in writable directories within
>   the webserver's document root directory.

The diffstat between the code of 5.2.6 and PHP_5_2 is huge[2], and attempting 
to use libzip is of no use because it: a) is impossible due to PHP-specific 
changes in the lib, and b) libzip doesn't fix the problem[3].

Note: after a quick search for the usage of the vulnerable method I found no 
match in the 14 packages in sid I checked.

[1] http://www.sektioneins.de/advisories/SE-2008-06.txt
[2] 71 files changed, 1489 insertions(+), 1084 deletions(-)
[3] The bug is specific to the application using the library, not the library 
itself.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to