Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101116
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10224 invoked from network); 9 Nov 2017 19:25:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Nov 2017 19:25:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.174 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.223.174 mail-io0-f174.google.com  
Received: from [209.85.223.174] ([209.85.223.174:52239] helo=mail-io0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 41/1D-15386-E9BA40A5 for <internals@lists.php.net>; Thu, 09 Nov 2017 14:25:18 -0500
Received: by mail-io0-f174.google.com with SMTP id f20so11019576ioj.9
        for <internals@lists.php.net>; Thu, 09 Nov 2017 11:25:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=t0JFE58ethx+UY1chtcCSA4+uVY819i6j5rJ+zzwEh8=;
        b=bMC5FhgfTmTnMLEZkZ9iekD/6Ljk2iXxdme9S/RSIh+D3aITFTGmTtk3zop3j8ZEtu
         gXI27yDQip3nnQYGfoFx+2r7e4HXD/NMaz0Q2gMZg3wFid27ZGRw7uNapXDjTlGpWzf9
         4reNNEo5QNekbRd4POlGxB/9eoCxzls98SBYr/S1Gy7nwLAb3MsH1HrW/qvwVIO8drHQ
         wUhnW5J40dfMjFOqHbynv9l2zRMJ8NxtfcATc20KrAFGcaA9QAMbpb8CqWsAq+0A4bbm
         YoxAMiV3k1DC/m6Q3Me5YHG7rwchHsKXnmHThCk+9tL27ycmndiLdyHGXD5bNoNXLAmk
         uuPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=t0JFE58ethx+UY1chtcCSA4+uVY819i6j5rJ+zzwEh8=;
        b=n9F5sUY6cxrliOHSOiIol2J9jlXb3RBJDupZ5C3eEZalcPJYQhh4R0TrE/tMuZqar9
         88+/K0dI5bIk6z5Tsiyygd81ymnOmsTacF7lUhuGQ6bwsmaTO27Ovrq8LM7STSelkSsO
         kyUkEPY/SSmC9G/5kjNnN+fpL4eQugOeH4bHQgLC/GKX3ZdawIL6t5dVxZS8wNpM6409
         4pPamvsCicUEwGJAAxIt63YpJgSW6HLXXtZRUX1yqAad+VzcvOKMdcp7XFs+NCkbqFLh
         bwpGy+JN5sthBE67JpTHEbLp+3m9tnBTTZc2XqpY0fpvneVoyZdnto7W9chy1FTvutl3
         vgnw==
X-Gm-Message-State: AJaThX6Qt69KftbAKaP+Y7kDbEUFcSKVjTPi41gW1S/aj3JnJTYgSL4C
	q4Rnps3kX3a9a98tuQk6lgC1CToWSnRhrCg8jG4=
X-Google-Smtp-Source: AGs4zMbGBSMFMShwBR89+nyPCSh7tB5vB2oUdoZxxQzkRKG/P9BAY8xC2+x3HH8EV9sj9I2M9NLl2JkfQC/dEwffxwM=
X-Received: by 10.107.7.156 with SMTP id g28mr2006048ioi.38.1510255515636;
 Thu, 09 Nov 2017 11:25:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.35.78 with HTTP; Thu, 9 Nov 2017 11:25:15 -0800 (PST)
In-Reply-To: <CAML1Pf7_WZJOo3Hma7Qdi3wztoi6RNw_C-YmNRJaL54r7n5SjA@mail.gmail.com>
References: <CAESVnVodb3=ANb-5ZY5p5_SpLsbE7JQJ7+BEzmX-A8U=TbBYnw@mail.gmail.com>
 <eabb8265-c82b-16da-82af-e9d9669fe7ac@cubiclesoft.com> <CAML1Pf7_WZJOo3Hma7Qdi3wztoi6RNw_C-YmNRJaL54r7n5SjA@mail.gmail.com>
Date: Thu, 9 Nov 2017 20:25:15 +0100
Message-ID: <CAF+90c9pQ_mvG30T81LYYhH9o4rJqC_FhJndHsGK_m9SDo4BgQ@mail.gmail.com>
To: Giovanni Giacobbi <giovanni@giacobbi.net>
Cc: Thomas Hruska <thruska@cubiclesoft.com>, Sara Golemon <pollita@php.net>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a113f2c24879d99055d91c3e6"
Subject: Re: [PHP-DEV] PHP 7.2.0 RC6 Released
From: nikita.ppv@gmail.com (Nikita Popov)

--001a113f2c24879d99055d91c3e6
Content-Type: text/plain; charset="UTF-8"

On Thu, Nov 9, 2017 at 7:07 PM, Giovanni Giacobbi <giovanni@giacobbi.net>
wrote:

> On 9 November 2017 at 18:46, Thomas Hruska <thruska@cubiclesoft.com>
> wrote:
>
> > On 11/9/2017 7:36 AM, Sara Golemon wrote:
> >
> >> The sixth (and likely final) release candidate for 7.2.0 was just
> >> released and can be
> >> downloaded from:
> >> https://downloads.php.net/~pollita/
> >> Or using the git tag: php-7.2.0RC6
> >>
> >> Barring unforeseen calamity, everyone should expect 7.2.0-final on
> >> Thursday, November 30th.
> >>
> >
> > Issue #73535?  I consider letting a known security vulnerability that
> goes
> > largely unaddressed but persists into the next major version of a
> software
> > product to be quantifiable as a calamity of sorts.  It's fast
> approaching a
> > full year without any resolution in sight.  Many people would have zero
> > day-ed the issue by this point at whatever conferences have come and gone
> > (Black Hat, DEF CON, etc.) to grab some quick notoriety.  I don't believe
> > that zero day-ing a vulnerability on a stage is the right solution for a
> > garden variety of reasons.
> >
> >
> This is utterly disappointing considering that bug #73535 is marked as
> private and I couldn't easily gather more information about this bug on
> google. Since I have the feeling this is an open secret can you disclose
> more information and proposed patches so that sysadmins can assess by
> themselves the risks, mitigation techniques, and whether to patch their own
> installations?
>
> I guess the dev team wouldn't leave us with our pants down, so I expect
> this to of difficult exploitability. Anyway, after a year it's time for
> full disclosure, don't you think?
>

So as to avoid unnecessary fearmongering, this refers to a
denial-of-service vulnerability requiring specific application code. If
your code implements a certain operation in a specific way, it may be
possible to make it go into an infinite loop based on remote interaction.
Apart from the increased server load, this is not dangerous. (Of course, if
someone is actively using this against you, you'd notice...)

Nikita

--001a113f2c24879d99055d91c3e6--