Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2008 16:45:00 +0100
From: Joe Orton <>
To: Christian Hoffmann <>
Subject: Re: CVE request: php-5.2.6 overflow issues

On Fri, Aug 08, 2008 at 04:55:37PM +0200, Christian Hoffmann wrote:
> On 2008-08-08 16:01, Joe Orton wrote:
>> The explode() bug could only be triggered if a script passed a 
>> delimiter from untrusted script input without sanitizing/checking it 
>> first, which is fairly pathological behaviour.  I would call that a 
>> script bug, not an issue in the PHP interpreter.
> Ok, sounds reasonable.
> No idea whether a CVE should be assigned anyway -- if it does indeed  
> allow for (local) code execution, that'd effectively mean bypass of  
> safe_mode/open_basedir. Such issues already got CVEs assigned in the  
> pass, so I guess this one should as well.

We (Red Hat) don't consider bugs which allow bypass of safe_mode or 
open_basedir to be security issues; opinions here vary but having a CVE 
name is useful anyway so that the issue can be identified definitively.

Regards, Joe

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.