Vigil@nce - PHP: denial of service via zip_name_locate
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use an empty ZIP archive, in order to force the
ZipArchive zip_name_locate() function to dereference a null
pointer.
Severity: 1/4
Creation date: 14/02/2011
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The PHP ZipArchive module uncompresses ZIP archives.
When the locateName() and statName() methods are used with the
ZIPARCHIVE::FL_UNCHANGED parameter, they call the
_zip_name_locate() function to find a name in the ZIP archive.
However, if the ZIP archive is empty, a NULL pointer is
dereferenced by _zip_name_locate().
An attacker can therefore use an empty ZIP archive, in order to
force an error in the ZipArchive zip_name_locate() function, which
stops the application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-denial-of-service-via-zip-name-locate-10363