Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265756 (CVE-2008-5658) - dev-php5/pecl-zip ZipArchive::extractTo directory traversal (CVE-2008-5658)
Summary: dev-php5/pecl-zip ZipArchive::extractTo directory traversal (CVE-2008-5658)
Alias: CVE-2008-5658
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2009-04-11 12:07 UTC by Christian Hoffmann (RETIRED)
Modified: 2010-12-26 02:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2009-04-11 12:07:40 UTC
pecl-zip has been providing zip support for php, and with some version of php (5.2? doesn't matter) it became part of PHP itself and ships with it (ext/zip in the source). This is enabled with USE=zip when building php. Several security issues have been reported against PHP with zip support, so pecl-zip is probably also affected, but it has never seen any fixes (last upstream release is from 2007).
We should verify and probably remove pecl-zip.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 17:11:08 UTC
confirmed this is vulnerable to CVE-2008-5658. If you do not want to maintain unbundled zip module, then please mask and remove.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-12 19:34:37 UTC
Masked and will be removed.

# Christian Hoffmann <> (12 Apr 2009)
# Masked for security (bug 265756), unmaintained upstream (last release
# two years ago), will be removed in 30 days. Use dev-lang/php with
# USE=zip as a replacement, which is actively maintained and has more
# features.
Comment 3 Jaak Ristioja 2010-07-23 08:38:03 UTC
(In reply to comment #2)
> Masked and will be removed.

And was removed.
Comment 4 Matti Bickel (RETIRED) gentoo-dev 2010-12-19 15:15:18 UTC
noglsa? and closing?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-12-26 02:27:52 UTC
Sounds good.