Maksymilian Arciemowicz reported that PHP's (currently undocumented) ZipArchive::addGlob() does not sanitize flags argument before passing it to underlying libc's glob(3) function. When this function is called with specially crafted argument, this issue can trigger a crash in glob(). On Linux/glibc, this can be reproduced by using flags as GLOB_APPEND or GLOB_ALTDIRFUNC, which require certain setup of the glob_t structure before glob() is called. Upstream bug report and commit: https://bugs.php.net/bug.php?id=54681 http://svn.php.net/viewvc/?view=revision&revision=310814
This is under the full control of the script author, hence may possibly allow safe_mode / open_basedir restrictions. *** This bug has been marked as a duplicate of bug 169857 ***
Statement: We do not consider safe_mode / open_basedir restriction bypass issues to be security sensitive. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php