Date: Thu, 9 Apr 2009 09:35:38 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org Subject: Re: CVE request: PHP 5.2.9 On Wed, 8 Apr 2009 14:02:26 -0400 (EDT) "Steven M. Christey" <coley@...us.mitre.org> wrote: > > # Fixed a crash on extract in zip when files or directories entry > > names contain a relative path. (Pierre) > > http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=220.127.116.11&r2=18.104.22.168 > > > > This should only affect php 5.2.7 or versions that have original fix > > for CVE-2008-5658 backported. > > This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be > affected? Ah, sorry for using confusing wording. I was only trying to say that the affected code was only introduced in 5.2.7, but anyone backporting upstream patch for CVE-2008-5658 may actually introduce this problem in earlier version. I have no reason to believe 5.2.8 is not affected, 5.2.7 was supposed to give "first affected" version. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.