Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities

To: s.le_ray@eutech-ssii.com, debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
From: Raphael Geissert <atomo64+debian@gmail.com>
Date: Thu, 07 May 2009 11:35:10 -0500
Message-id: <[🔎] 4a030da1.160bca0a.1f88.2b5b@mx.google.com>
References: <20090504205757.DA5A4326858@morgana.loeki.tv> <[🔎] 20090506105726.2fd2a23d@thebes.eutech-ssii.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sébastien Le Ray wrote:
> Thijs Kinkhorst <thijs@debian.org> a écrit :
>> CVE-2008-5658
>> 
>>     Directory traversal vulnerability in the ZipArchive::extractTo
>> function allows attackers to write arbitrary files via a ZIP file
>> with a file whose name contains .. (dot dot) sequences.
>> 
> 
> Hi,

Hi,

> 
> It seems that there were some side effects. Since the upgrade we've PHP
> crashes with:
> *** glibc detected *** double free or corruption (fasttop): 0x08718200
> ***
> 
> The crash occurs inside the extractTo function, please tell me if you
> need any additional information.
> 

Could you please provide us with the zip's files listing (i.e. the output of
unzip -l)?

That would help us reproduce and fix it.

Kind regards,
- -- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoDDcUACgkQYy49rUbZzlrC+QCggRg/soVtN1NZnYPZKugad4lT
wB8Anjms7X63NJDyhR4Y1ttFyWMjPZ3S
=WmZr
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
  - From: Sébastien Le Ray <s.le_ray@eutech-ssii.com>

Prev by Date: Re: firewall critique
Next by Date: Re: [SECURITY] [DSA 1796-1] New libwmf packages fix denial of service
Previous by thread: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
Next by thread: Logs on Debian in Apache2
Index(es):
- Date
- Thread