Fix commit is at $URL. From the upstream bug at https://bugs.php.net/bug.php?id=54681: Test script: --------------- The crash come, when we run libc/glob(3) function with incorrect flag. Tested also on linux/ubuntu and (netbsd) cx@cx64:~$ php -v PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies cx@cx64:~$ uname -a Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64 GNU/Linux cx@cx64:/www$ cat zip.php <?php unlink("empty.zip"); fopen("empty.zip","a"); $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("*",333333),0x39); ?>cx@cx64:/www$ php zip.php Segmentation fault
I checked manually php-5.3.8 sources, and the commit at $URL seems applied. =dev-lang/php-5.3.8 is stable on all arches. So as per B3 adding glsa vote request.
Thanks, Agostino. GLSA Vote: yes.
CVE-2011-1657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1657): The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND.
YES too.
This issue was resolved and addressed in GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml by GLSA coordinator Tobias Heinlein (keytoaster).
