Date: Sun, 25 Sep 2011 11:49:41 +0200 From: Pierre Joye <pierre.php@...il.com> To: Stas Malyshev <smalyshev@...arcrm.com> Cc: Vincent Danen <vdanen@...hat.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "security@....net" <security@....net> Subject: Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 On Sun, Sep 25, 2011 at 11:18 AM, Stas Malyshev <smalyshev@...arcrm.com> wrote: > I'm concerned that if we do it this way people would take it as "PHP has > security bug in is_a and it was fixed in this version, so as long as we run > updated version we're OK", not "my code has gaping security hole which by > pure luck wasn't exploitable but minor change made it exploitable". If we > don't make it crystal clear the latter and not the former is the case, we'd > have same problem with 5.4. That's a valid concern however it is another matter. My suggestion would be: - get a CVE and assign it to the bug - be sure to get the right information in the CVE . about why it is not a flaw in php itself per se but a behavior change that could introduce a flaw in existing php scripts . these php scripts were not following our guidance or good practice guide - Be sure we update the upgrade guide, the NEWS file, the documentation and the announce to clearly explain and define this problem and its consequences Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.