oss-sec mailing list archives
Re: CVE request: PHP 5.2.9
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 9 Apr 2009 09:35:38 +0200
On Wed, 8 Apr 2009 14:02:26 -0400 (EDT) "Steven M. Christey" <coley () linus mitre org> wrote:
# Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre) http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49 This should only affect php 5.2.7 or versions that have original fix for CVE-2008-5658 backported.This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be affected?
Ah, sorry for using confusing wording. I was only trying to say that the affected code was only introduced in 5.2.7, but anyone backporting upstream patch for CVE-2008-5658 may actually introduce this problem in earlier version. I have no reason to believe 5.2.8 is not affected, 5.2.7 was supposed to give "first affected" version. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: PHP 5.2.9 Tomas Hoger (Apr 01)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 08)
- Re: CVE request: PHP 5.2.9 Tomas Hoger (Apr 09)
- Re: CVE request: PHP 5.2.9 Christian Hoffmann (Apr 14)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 24)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 08)