oss-sec mailing list archives
Re: CVE request: PHP 5.2.9
From: Christian Hoffmann <hoffie () gentoo org>
Date: Tue, 14 Apr 2009 17:38:50 +0200
On 2009-04-08 20:02, Steven M. Christey wrote:
# Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre) http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49 This should only affect php 5.2.7 or versions that have original fix for CVE-2008-5658 backported.This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be affected? Use CVE-2009-1272
Somehow the wrong changeset URL shows up in CVE-2009-1272's list of references [1] (the json decode one, instead of the zip thingy): What shows up: http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15 What should show up instead: http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272 -- Christian Hoffmann
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: PHP 5.2.9 Tomas Hoger (Apr 01)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 08)
- Re: CVE request: PHP 5.2.9 Tomas Hoger (Apr 09)
- Re: CVE request: PHP 5.2.9 Christian Hoffmann (Apr 14)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 24)
- Re: CVE request: PHP 5.2.9 Steven M. Christey (Apr 08)