Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 9 Apr 2009 09:35:38 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE request: PHP 5.2.9

On Wed, 8 Apr 2009 14:02:26 -0400 (EDT) "Steven M. Christey"
<coley@...us.mitre.org> wrote:

> > # Fixed a crash on extract in zip when files or directories entry
> > names contain a relative path. (Pierre)
> > http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49
> >
> > This should only affect php 5.2.7 or versions that have original fix
> > for CVE-2008-5658 backported.
> 
> This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be
> affected?

Ah, sorry for using confusing wording.  I was only trying to say that
the affected code was only introduced in 5.2.7, but anyone backporting
upstream patch for CVE-2008-5658 may actually introduce this problem in
earlier version.  I have no reason to believe 5.2.8 is not affected,
5.2.7 was supposed to give "first affected" version.

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux