Date: Thu, 17 Dec 2009 20:33:31 +0000 From: Joe Orton <jorton@...hat.com> To: Raphael Geissert <geissert@...ian.org> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: php5: multiple issues On Thu, Dec 17, 2009 at 01:23:33PM -0600, Raphael Geissert wrote: > I think a cross-vendor security support and tracking effort for php5 > is needed. The number of issues silently fixed are a continuous risk, > leaving users exposed. What does the others think? The problem we face is the ambiguity around the threat model for the PHP interpreter. If you assume that the PHP interpreter should be robust against attack from a malicious script (or its author), then a vast number of bugs can be considered a security vulnerability. Even if you assume that the PHP interpreter - and scripts using it - should be robust only against attack from a remote user, it is often still difficult to draw the line between a script bug and an interpreter/extension bug. Doing so requires interface documentation which specifies API preconditions and guarantees with greater precision than is usually available. So whether or not security issues are being "silently fixed" depends a lot on your frame of reference. Ideally any effort to improve the lack of transparency around PHP security would start by working with upstream to a) define a threat model and b) improve strictness of API/quality of code in the context of that model. I wouldn't underestimate the time and effort that would require ;) Using this list to track and share analysis of published issues is certainly helpful, but I'm not sure what more we can/should do independent of upstream to improve the situation - any specific ideas you had? Regards, Joe
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.