Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 14 Apr 2009 17:38:50 +0200
From: Christian Hoffmann <hoffie@...too.org>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: PHP 5.2.9

On 2009-04-08 20:02, Steven M. Christey wrote:
>> # Fixed a crash on extract in zip when files or directories entry names
>>   contain a relative path. (Pierre)
>> http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49
>>
>> This should only affect php 5.2.7 or versions that have original fix
>> for CVE-2008-5658 backported.
> 
> This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be
> affected?
> 
> Use CVE-2009-1272
Somehow the wrong changeset URL shows up in CVE-2009-1272's list of
references [1] (the json decode one, instead of the zip thingy):

What shows up:
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15

What should show up instead:
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272

-- 
Christian Hoffmann



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux