It was reported that ZipArchive() would segfault when opening an empty archive with the FL_UNCHANGED flag set [1]. This is corrected in upstream PHP 5.3.6 [2],[3]. [1] http://bugs.php.net/bug.php?id=53885 [2] http://www.php.net/ChangeLog-5.php#5.3.6 [3] http://svn.php.net/viewvc/?view=revision&revision=307867
I don't believe this is something that would be exploitable under normal circumstances. For one, the only reference I can find to this FL_UNCHANGED flag is in ZipArchve::getNameIndex(): http://php.net/manual/en/function.ziparchive-getnameindex.php The reproducers noted in the bug use ZipArchive::locateName(), and FL_UNCHANGED is not a documented flag there: http://php.net/manual/en/function.ziparchive-locatename.php The reproducers are: PoC1: php -r '$nx=new ZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);' PoC2: php -r '$nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);' I have a hard time believing something like this would be a problem in normal use, and it can certainly be mitigated by making sure that the file is not 0 bytes (a sensible thing to test for on uploaded files anyways). For instance: % echo 1 >empty.zip % php -r '$nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);' PHP Warning: ZipArchive::statName(): Invalid or unitialized Zip object in Command line code on line 2 This also would only affect Red Hat Enterprise Linux 6 and Fedora as earlier versions of PHP do not have this functionality.
This also would affect libzip, mingw32-libzip, and openlierox (the latter contains an embedded libzip, although it is linked to the system libzip so probably does not require a patch). Not too much requires libzip, so this is probably just as "major" there as it is for PHP (abrt-plugin-filetransfer uses libzip, but I suspect to create zip files for uploading, ebook-tools/ebook-tools-libs and fuse-zip also require it; I suspect the problematic package there would be fuse-zip). I'm going to add trackers for libzip and mingw32-libzip.
Created php tracking bugs for this issue Affects: fedora-all [bug 688940]
Created libzip tracking bugs for this issue Affects: fedora-all [bug 688941]
Created mingw32-libzip tracking bugs for this issue Affects: fedora-all [bug 688942]
An additional link with further information: http://securityreason.com/achievement_securityalert/96
This issue did NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the version of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 6.
I'm closing this as WONTFIX. Nothing shipped in Red Hat Enterprise Linux uses this option. Google code search shows that almost no applications use it ever (the list if very small and obscure). Given this can only crash an application, we will not be fixing this bug as a security flaw.
This was fixed in libzip 0.10 (see http://www.nih.at/libzip/NEWS.html). Fedora 17+ have this, Fedora 16 still ships 0.9.