Re: CVE request: PHP 5.2.9

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 1 Apr 2009, Tomas Hoger wrote:

> # Fixed a crash on extract in zip when files or directories entry names
>   contain a relative path. (Pierre)
> http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49
>
> This should only affect php 5.2.7 or versions that have original fix
> for CVE-2008-5658 backported.

This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be
affected?

Use CVE-2009-1272

> # Fixed a segfault when malformed string is passed to json_decode().

Use CVE-2009-1271

- Steve


======================================================
Name: CVE-2009-1271
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1271
Reference: MLIST:[oss-security] 20090401 CVE request: PHP 5.2.9
Reference: URL:http://www.openwall.com/lists/oss-security/2009/04/01/9
Reference: MISC:http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15
Reference: CONFIRM:http://www.php.net/releases/5_2_9.php

The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before
5.2.9 allows remote attackers to cause a denial of service
(segmentation fault) via a malformed string to the json_decode API
function.


======================================================
Name: CVE-2009-1272
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272
Reference: MLIST:[oss-security] 20090401 CVE request: PHP 5.2.9
Reference: URL:http://www.openwall.com/lists/oss-security/2009/04/01/9
Reference: MISC:http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15
Reference: CONFIRM:http://www.php.net/releases/5_2_9.php

The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x
before 5.2.9 allows context-dependent attackers to cause a denial of
service (crash) via a ZIP file that contains filenames with relative
paths, which is not properly handled during extraction.