From Secunia: Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an input validation error within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive. Ref: http://secunia.com/Advisories/32964/ Reproducible: Always
The advisory says this is fixed in php 5.2.7, which is not on the main php page but is on the mirrors. http://www.php.net/get/php-5.2.7.tar.bz2/from/a/mirror is functional. From the actual advisory: To exploit this an attacker just needs to create a zip archive containing filenames like ../../../../../../../../../../../var/www/wr_dir/evil.php An easy way to achieve that is to just store a file with a long name inside the zip archive and then change it with a hex editor
Bump will happen on this Sunday most likely, and it'll either end up being in p.mask or shipping a critical patch. Vanilla 5.2.7 has broken magic_quotes_gpc which may lead to severe security issues or render user-supplied data unusable.
Upstream has dropped 5.2.7 and if we were to ship it with the magic_quotes_gpc fix it would just lead to confusion ("why does Gentoo ship it and upstream has removed it!?"), so we'll be waiting for the hopefully very soon to be released 5.2.8.
php-5.2.8 in the tree, has other security improvements as well. Will provide a list tomorrow and add arches then. Known test failures with USE="-* cgi cli fastbuild suhosin pcre session": Bug #30707 (Segmentation fault on exception in method) [Zend/tests/bug30707.phpt] Bug #31177 (Memory leak) [Zend/tests/bug31177.phpt]
(In reply to comment #4) > Will provide a list tomorrow and add arches then. Tomorrow is over for a few days now :P, any news here?
CVE-2008-5658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5658): Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.
php-5.2.8-r1 which I've just added to the tree has the following security-relevant improvements: * This version no longer uses the bundled libpcre, but the system version * A more complete fix for the c-client-related vulnerabilitites (was CVE-2008-2829; no idea whether the old fix was incomplete (I'd suspect so) or whether the new one is just technically better) Fixes since 5.2.7: * mod_php avoided proper logging of HTTP-authed users to Apache logs [1] * Certain XML files could crash scripts relying on certain ext/xml functionality (DoS w/ FastCGI) [2] * Certain functions in ext/mssql could crash PHP with certain DB contents (DoS w/ FastCGI) [3] * Missing bounds checking in ext/gd's imagerotate() function allowed for exposure of memory contents (e.g. SSL private keys) w/ mod_php (CVE-2008-5498) * Crash in ext/openssl when using get_headers() w/ a specific target server configuration (DoS w/ FastCGI) Fixes since 5.2.6-r7: * Fix for ZipArchive::extractTo() Directory Traversal (CVE-2008-5658) ... and more, I'll prepare a more exhaustive list in the next few days hopefully... Arches, please test and mark stable: =dev-lang/php-5.2.8-r1 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 [1] http://bugs.php.net/bug.php?id=46005 [2] http://bugs.php.net/bug.php?id=46699 [3] http://bugs.php.net/bug.php?id=46798 [4] http://bugs.php.net/bug.php?id=46748
(In reply to comment #7) > php-5.2.8-r1 which I've just added to the tree has the following > security-relevant improvements: > > * This version no longer uses the bundled libpcre, but the system version I was thinking about adding a check if libpcre has been built with +unicode as 5.2.8 hit me that way :P - just noticed -r1 already has it :) Thanks!
ppc64 done
amd64/x86 stable
ppc stable
Stable for HPPA.
sparc stable
alpha/ia64 stable
GLSA request filed.
CVE-2008-5624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5624): PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function, which allows context-dependent attackers to bypass safe_mode restrictions via variable settings that are intended to be restricted to root, as demonstrated by a setting of /etc for the error_log variable. CVE-2008-5625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5625): PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file.
CVE-2008-5557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5557): Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions. Sorry for the bugspam, but we need to document what we did with those bugs...
CVE-2008-5814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5814): Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208. CVE-2008-5844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5844): PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality, and unintentionally disables magic_quotes_gpc regardless of the actual magic_quotes_gpc setting, which might make it easier for context-dependent attackers to conduct SQL injection attacks and unspecified other attacks.
arm/s390/sh stable
GLSA 201001-03. Thank you everyone, sorry about the delay.