Your submission was sent successfully! Close

CVE-2008-5658

Published: 17 December 2008

Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.

Notes

AuthorNote
mdeslaur
zip is only in php > 5.2.x
apart from these patches, libzip was updated to 0.9.0
not sure if it's necessary to fix the issue...

seems the issue is not resolved:
http://bugs.php.net/bug.php?id=47188
more info: http://news.php.net/php.internals/42758
http://news.php.net/php.internals/42760
http://news.php.net/php.internals/42762
http://news.php.net/php.internals/42796 (proposed patch)
http://news.php.net/php.internals/42797 (proposed smaller patch)
Priority

Medium

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
dapper Not vulnerable
(zip not present in 5.1)
gutsy
Released (5.2.3-1ubuntu6.5)
hardy
Released (5.2.4-2ubuntu5.5)
intrepid
Released (5.2.6-2ubuntu4.1)
upstream
Released (5.2.7)
Patches:
upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?hideattic=0&r1=1.1.2.43&r2=1.1.2.44 (incomplete)
vendor: http://patch-tracking.debian.net/patch/series/view/php5/5.2.6.dfsg.1-3/CVE-2008-5658.patch