Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96710
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1876 invoked from network); 2 Nov 2016 19:36:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Nov 2016 19:36:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.43 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.43 mail-vk0-f43.google.com  
Received: from [209.85.213.43] ([209.85.213.43:36266] helo=mail-vk0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D6/E6-34238-0304A185 for <internals@lists.php.net>; Wed, 02 Nov 2016 14:36:17 -0500
Received: by mail-vk0-f43.google.com with SMTP id p9so21742036vkd.3
        for <internals@lists.php.net>; Wed, 02 Nov 2016 12:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=OfxCpQgQwhztjL4wQBNEvcKgpAsKjvaP5W83nR5+sH4=;
        b=JM8UEWaM6BeSkwjZcyTiCQrsL1oNbNkgDa5rsuDsY0uu9B9EZQv7U71lCkKwhFsOTz
         fQR55nRIJuB//D4reWha/IAeIrL1xmA2cwNYPRkItMhA8oLs76pZmwwDns6uSZHOqIJ1
         E0PYLIwmWdPNfb9GwPLfssJi3o+sr1FejbCVs3GruGRwHgfPrlXI4VVS+t59t5yGQGAj
         3VeeBtR/5CsfdSEQLjpwIn5+d7RCrpccWbAHb3Au5J2r6lwxtzKdRqJMo+/PKYWaa1C/
         ZAR9fs6Mu5l4ADDkWPz/Kj89SW+YQ+7LI/NIu2JUnFNyq2av9fcs4EK2sDRL4I8x4k7K
         nZYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=OfxCpQgQwhztjL4wQBNEvcKgpAsKjvaP5W83nR5+sH4=;
        b=BpGkKhQI/MVK+lWNs0FnAnktO3n8+v4AS1eGVp0+5Y44Af5OVDS/EF6EfXMAi1usbo
         IkHPYOcKUoYSuh0lino7AvMdFwH/Mc/YIk6HTJR4Ui0OxbQCocj1UBOQYDxV/Yim5Owp
         8iN7aPMMz96PilEka4XCGOccSFsEEdu/AYDsOsJruIxVOGyWsOMg0DbMRg6Z74FXSKW0
         edEFx6RpgNND5Xeg4Bg79ptPYosXUmOexw15GxDhD2Bw1PnoQjnQfsiB8P8vNG2RpKsA
         f30bK19LFOvW1gafMGJZFERMsiZ0fiYTl6SWZ8DW4PFxgijfkczMsl3s86RugXcTZ6SM
         MFMw==
X-Gm-Message-State: ABUngvdSVDIG5YdPDAihvapJ0xkxmoktlPPOj3ancYi8CZ8L82Pwl7bSXHYC4CXVHjpuE/HEFJg0Fs/OtdFBwA==
X-Received: by 10.31.13.20 with SMTP id 20mr3731545vkn.137.1478115373835; Wed,
 02 Nov 2016 12:36:13 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.20 with HTTP; Wed, 2 Nov 2016 12:36:13 -0700 (PDT)
In-Reply-To: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com>
References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com>
Date: Wed, 2 Nov 2016 19:36:13 +0000
X-Google-Sender-Auth: nShjzNigj6BYvzg3fTBDoe9C3cA
Message-ID: <CAEKnhAF7_uH+ksei4d5uD8C1R1hOsAO_t76DCkd4RE0PWY0hsA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, Remi Collet <remi@fedoraproject.org>
Content-Type: multipart/alternative; boundary=001a11411a1ccb6a400540568d00
Subject: Re: [PHP-DEV] bug classification discussion
From: bukka@php.net (Jakub Zelenka)

--001a11411a1ccb6a400540568d00
Content-Type: text/plain; charset=UTF-8

Hi,

On Mon, Oct 24, 2016 at 6:23 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> We have had a bunch of bugs recently which are essentially one and the
> same issue: PHP 5.6 allows only int-sized strings, but many functions
> don't check the size of the string they produce. This can lead to int
> overflows inside php and also can break other libraries that also assume
> string sizes are ints and this can cause all kinds of weirdness.
> However, these bugs are very unlikely to manifest in production setting
> for one simple reason - they require PHP to run with no memory limit,
> and I haven't seen many setups that run with no memory limit. I'm not
> going to go into specifics here, since some of the issues are still not
> fixed, but you can talk to me privately if you need examples or browse
> changelogs of later 5.6 releases.
>
> A twin brother of this is in 7.0 where there are just integer overflows
> in string size calculations. Usually that requires huge strings as
> inputs, so also requires running with no memory limit.
>
> These bugs are now treated as security issues, due to the fact that in
> theory somebody might be running with no memory limit and get huge
> string as an input from user. However, it was questioned that we indeed
> should treat them so, due to the fact that encountering them in
> production is unlikely, and due to the fact that they require patching
> in many places, and merging those fixes out-of-band creates significant
> potential for bugs.
>
>
I would probably treat them as a low severity issues. It means just not
disclose them until they are fixed and let RM decide if they want to pull
them to the branches for security fixes only. The thing is that it might
take time till they are fixed so better not to keep them publicly visible.

Cheers

--001a11411a1ccb6a400540568d00--