Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Oct 2016 14:14:26 +0200
From: Remi Collet <remi@...oraproject.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12

Le 18/10/2016 à 14:06, Adam Maris a écrit :
> On 18/10/16 09:42, Lior Kaplan wrote:
>> Hi,
>>
>> Please assign a CVE for the following issue:
>>
>> Bug #73147    Use After Free in unserialize()
>> https://bugs.php.net/bug.php?id=73147
>> http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f
>>
>>
>> Thanks,
>>
>> Kaplan
>>
> 16 bugs marked as 'security' were fixed in php 5.6.27 of which only one
> has CVE assigned.
> Here you request CVE for another one issue (even the documentation says
> it's unsafe to use
> unserialize on untrusted input).
> 
> Are you planning to obtain CVEs also for other security bugs or do you
> treat the rest as
> CVE-unworthy? Or are reporters/community supposed to do it?

All the remaining bugs, despite reported as security issue, involved
some very big strings to reproduce (~2GB)

Which is prevented by any decent memory_limit value
And by max_input_size for remote access.


Remi


P.S. just my 0,02€, but indeed, CVE-unworthy

> Thanks!
> 




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ