Bug 474824 (CVE-2008-5658)

Summary: CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, mjc, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 08:46:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 494531    
Bug Blocks:    

Description Tomas Hoger 2008-12-05 14:48:59 UTC 
Stefan Esser reported a directory traversal flaw in PHP:

  PHP comes with the zip extension that provides the ZipArchive
  class for zip archive manipulation. During an audit of a large
  scale PHP applications that uses ZipArchive::extractTo() to
  unpack user uploaded zip archives to temporary directories it
  was discovered that ZipArchive::extractTo() does not flatten
  the filenames stored inside the zip archives.

  Therefore it is possible to create zip archives containing
  relative filenames that when unpacked will create or overwrite
  files outside of the temporary directory.

  In the applications like the one in question this results in
  a remote PHP code execution vulnerability, because we are
  able to drop new PHP files in writable directories within
  the webserver's document root directory.

Reference:
http://www.sektioneins.de/advisories/SE-2008-06.txt

Fixed upstream in 5.2.7:
http://www.php.net/ChangeLog-5.php#5.2.7

Upstream fix:
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.62&r2=1.63
Comment 1 Tomas Hoger 2008-12-05 14:52:36 UTC 
This issue does not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1.  PHP version in Red Hat Application Stack v2 is affected.

PHP 5.1.x (RHEL5 and Stack-v1) does not ship zip extension at all.

PHP 4.x (RHEL2.1 - RHEL4) contains zip extension, but it different from the one used in PHP 5.2+ (no ZipArchive class), and requires zzlib library.  This library is not shipped in any version of Red Hat Enterprise Linux, and there PHP packages in RHEL2.1 - RHEL4 are not built with zip extension.
Comment 3 Tomas Hoger 2008-12-18 09:06:11 UTC 
CVE id CVE-2008-5658 was assigned to this issue:

Directory traversal vulnerability in the ZipArchive::extractTo
function in PHP 5.2.6 and earlier allows context-dependent attackers
to write arbitrary files via a ZIP file with a file whose name
contains .. (dot dot) sequences.
Comment 4 errata-xmlrpc 2009-04-14 17:14:46 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html
Comment 5 Fedora Update System 2009-05-30 02:34:00 UTC 
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-05-30 02:38:03 UTC 
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.