Bug 265756 (CVE-2008-5658)

Summary:	dev-php5/pecl-zip ZipArchive::extractTo directory traversal (CVE-2008-5658)
Product:	Gentoo Security	Reporter:	Christian Hoffmann (RETIRED) <hoffie>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jaak, php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.62&r2=1.63
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Christian Hoffmann (RETIRED) gentoo-dev

2009-04-11 12:07:40 UTC

pecl-zip has been providing zip support for php, and with some version of php (5.2? doesn't matter) it became part of PHP itself and ships with it (ext/zip in the source). This is enabled with USE=zip when building php. Several security issues have been reported against PHP with zip support, so pecl-zip is probably also affected, but it has never seen any fixes (last upstream release is from 2007).
We should verify and probably remove pecl-zip.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-04-12 17:11:08 UTC

confirmed this is vulnerable to CVE-2008-5658. If you do not want to maintain unbundled zip module, then please mask and remove.

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2009-04-12 19:34:37 UTC

Masked and will be removed.

# Christian Hoffmann <hoffie@gentoo.org> (12 Apr 2009)
# Masked for security (bug 265756), unmaintained upstream (last release
# two years ago), will be removed in 30 days. Use dev-lang/php with
# USE=zip as a replacement, which is actively maintained and has more
# features.
dev-php5/pecl-zip

Comment 3 Jaak Ristioja 2010-07-23 08:38:03 UTC

(In reply to comment #2)
> Masked and will be removed.

And was removed.

Comment 4 Matti Bickel (RETIRED) gentoo-dev

2010-12-19 15:15:18 UTC

noglsa? and closing?

Comment 5 Stefan Behte (RETIRED) gentoo-dev

2010-12-26 02:27:52 UTC

Sounds good.