Date: Tue, 18 Oct 2016 14:14:26 +0200 From: Remi Collet <remi@...oraproject.org> To: oss-security@...ts.openwall.com Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12 Le 18/10/2016 à 14:06, Adam Maris a écrit : > On 18/10/16 09:42, Lior Kaplan wrote: >> Hi, >> >> Please assign a CVE for the following issue: >> >> Bug #73147 Use After Free in unserialize() >> https://bugs.php.net/bug.php?id=73147 >> http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f >> >> >> Thanks, >> >> Kaplan >> > 16 bugs marked as 'security' were fixed in php 5.6.27 of which only one > has CVE assigned. > Here you request CVE for another one issue (even the documentation says > it's unsafe to use > unserialize on untrusted input). > > Are you planning to obtain CVEs also for other security bugs or do you > treat the rest as > CVE-unworthy? Or are reporters/community supposed to do it? All the remaining bugs, despite reported as security issue, involved some very big strings to reproduce (~2GB) Which is prevented by any decent memory_limit value And by max_input_size for remote access. Remi P.S. just my 0,02€, but indeed, CVE-unworthy > Thanks! > Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ