Date: Tue, 14 Apr 2009 17:38:50 +0200 From: Christian Hoffmann <hoffie@...too.org> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: PHP 5.2.9 On 2009-04-08 20:02, Steven M. Christey wrote: >> # Fixed a crash on extract in zip when files or directories entry names >> contain a relative path. (Pierre) >> http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=220.127.116.11&r2=18.104.22.168 >> >> This should only affect php 5.2.7 or versions that have original fix >> for CVE-2008-5658 backported. > > This was announced in 5.2.9 changelog though, so wouldn't 5.2.8 be > affected? > > Use CVE-2009-1272 Somehow the wrong changeset URL shows up in CVE-2009-1272's list of references  (the json decode one, instead of the zip thingy): What shows up: http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=22.214.171.124&r2=126.96.36.199 What should show up instead: http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=188.8.131.52&r2=184.108.40.206  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272 -- Christian Hoffmann Download attachment "signature.asc" of type "application/pgp-signature" (262 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.