CVE-2008-5658
Publication date 17 December 2008
Last updated 24 July 2024
Ubuntu priority
Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.
Status
Package | Ubuntu Release | Status |
---|---|---|
php5 | ||
Notes
mdeslaur
zip is only in php > 5.2.x apart from these patches, libzip was updated to 0.9.0 not sure if it's necessary to fix the issue... seems the issue is not resolved: http://bugs.php.net/bug.php?id=47188 more info: http://news.php.net/php.internals/42758 http://news.php.net/php.internals/42760 http://news.php.net/php.internals/42762 http://news.php.net/php.internals/42796 (proposed patch) http://news.php.net/php.internals/42797 (proposed smaller patch)
Patch details
Package | Patch details |
---|---|
php5 |
References
Related Ubuntu Security Notices (USN)
- USN-720-1
- PHP vulnerabilities
- 12 February 2009