Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Apr 2009 09:35:38 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE request: PHP 5.2.9

On Wed, 8 Apr 2009 14:02:26 -0400 (EDT) "Steven M. Christey"
<coley@...us.mitre.org> wrote:

> > # Fixed a crash on extract in zip when files or directories entry
> > names contain a relative path. (Pierre)
> > http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.48&r2=1.1.2.49
> >
> > This should only affect php 5.2.7 or versions that have original fix
> > for CVE-2008-5658 backported.
> 
> This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be
> affected?

Ah, sorry for using confusing wording.  I was only trying to say that
the affected code was only introduced in 5.2.7, but anyone backporting
upstream patch for CVE-2008-5658 may actually introduce this problem in
earlier version.  I have no reason to believe 5.2.8 is not affected,
5.2.7 was supposed to give "first affected" version.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.