Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101117
Return-Path: <php@golemon.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15570 invoked from network); 9 Nov 2017 21:50:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Nov 2017 21:50:37 -0000
Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.220.182 as permitted sender)
X-PHP-List-Original-Sender: php@golemon.com
X-Host-Fingerprint: 209.85.220.182 mail-qk0-f182.google.com  
Received: from [209.85.220.182] ([209.85.220.182:43283] helo=mail-qk0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F1/8D-15386-5ADC40A5 for <internals@lists.php.net>; Thu, 09 Nov 2017 16:50:29 -0500
Received: by mail-qk0-f182.google.com with SMTP id 78so9637799qkz.0
        for <internals@lists.php.net>; Thu, 09 Nov 2017 13:50:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=golemon-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=IGYLxTmD/XhjwrCsDF+/J/RV6pK02jxoK4yu1l7HgP8=;
        b=pF0sni0Yb1y61WB0+PdTR5w2JKO9/spILHnQQtrkhl4z9wuLl/4l4rESVn0839vz1R
         QCDYvYqNQ6eAsob5FNRLmXds8fsd7AqT3vYTgdOwcPr1WrGWBUACcS8vott2I3iHXjwD
         IbZW3/LEvUwJnduSokVld4VX7Nht7bgPGQnAO+3LFNE5Bl1Byvy9f4NKnYX1gAAwUFCA
         nqPQuzLgPwj4R7rDED01IU0RMW6kTemg7M1zYYhEfXSw+uamropjhOxXU5yMUaNGvLu0
         C8l2yjllTa3EfamTCEL8ExqAXgB7tDwdsCrrVl1Qd3EQl7PyQR26uRo5Jmz5i8Q4qmNC
         G3yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=IGYLxTmD/XhjwrCsDF+/J/RV6pK02jxoK4yu1l7HgP8=;
        b=uCD4EZPtfsJQRCRxZHsNIANcFc6NQ5/E5vFSo/HTsp2PtOpDnu02DyTnWW0sbRMZA/
         H4uCTPfjgpDz3U4guBzCy/7aaXMZcdDiUcTa42e0JlNYtFbyoNb7Ubp5OhyiAlSOfjSM
         Nky3iZXTi2PCD23cQRwEFwWJS8L23R6wukdAEZyHXgcY9Tp/eVfnFi9iyxXRUVeZoCqV
         aY/qs1zGIXktnouvWXs7RShKnsrbbT7y2x4PXpMDfgQzwjFGkjtWrkoTyr2Z1DY84vL/
         Rzi/iUJKtY2L9KwZ3YhVhPJoRMLAQuo5/5FUUKvTRd2lPhW8tw5QuanxWnLNVducBCuN
         qmGA==
X-Gm-Message-State: AJaThX5Yg4lnV+AjorVzOa5WJMW5lai5VrChrstNk8siS8uWBlZOuETM
	196NKmGgWLsOkL41rj9YuMmYE0r6pHK5d7/c8O+trw==
X-Google-Smtp-Source: ABhQp+TpSwtLt5cQYWXzcK3B35f0UdE3o+4xdAI3E9kbw5wx2iMOQD8Uf1X7PpM2c/RcFBf79JQq4PrVzasb//GTFNE=
X-Received: by 10.55.101.4 with SMTP id z4mr3251374qkb.114.1510264226224; Thu,
 09 Nov 2017 13:50:26 -0800 (PST)
MIME-Version: 1.0
Sender: php@golemon.com
Received: by 10.12.156.1 with HTTP; Thu, 9 Nov 2017 13:50:25 -0800 (PST)
X-Originating-IP: [2a02:c7d:8e68:9d00:a0b7:ce65:f0b3:dfb3]
In-Reply-To: <CAF+90c9pQ_mvG30T81LYYhH9o4rJqC_FhJndHsGK_m9SDo4BgQ@mail.gmail.com>
References: <CAESVnVodb3=ANb-5ZY5p5_SpLsbE7JQJ7+BEzmX-A8U=TbBYnw@mail.gmail.com>
 <eabb8265-c82b-16da-82af-e9d9669fe7ac@cubiclesoft.com> <CAML1Pf7_WZJOo3Hma7Qdi3wztoi6RNw_C-YmNRJaL54r7n5SjA@mail.gmail.com>
 <CAF+90c9pQ_mvG30T81LYYhH9o4rJqC_FhJndHsGK_m9SDo4BgQ@mail.gmail.com>
Date: Thu, 9 Nov 2017 16:50:25 -0500
X-Google-Sender-Auth: xOezr8Rx_RmB0nI4AewBhtMM93A
Message-ID: <CAESVnVoq_OSUjz+o5aFmrh8=dq5g1CB6d10EK3dDyb7FBu55vQ@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: Giovanni Giacobbi <giovanni@giacobbi.net>, Thomas Hruska <thruska@cubiclesoft.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] PHP 7.2.0 RC6 Released
From: pollita@php.net (Sara Golemon)

On Thu, Nov 9, 2017 at 2:25 PM, Nikita Popov <nikita.ppv@gmail.com> wrote:
>> This is utterly disappointing considering that bug #73535 is marked as
>> private and I couldn't easily gather more information about this bug on
>> google. Since I have the feeling this is an open secret can you disclose
>> more information and proposed patches so that sysadmins can assess by
>> themselves the risks, mitigation techniques, and whether to patch their
>> own
>> installations?
>>
>> I guess the dev team wouldn't leave us with our pants down, so I expect
>> this to of difficult exploitability. Anyway, after a year it's time for
>> full disclosure, don't you think?
>
>
> So as to avoid unnecessary fearmongering, this refers to a denial-of-service
> vulnerability requiring specific application code. If your code implements a
> certain operation in a specific way, it may be possible to make it go into
> an infinite loop based on remote interaction. Apart from the increased
> server load, this is not dangerous. (Of course, if someone is actively using
> this against you, you'd notice...)
>
Agree with Niki that this isn't going to be commonly exploitable, and
has likely existed for a significant range of versions.  Given that,
I'm going to say it probably won't (by itself) merit pushing back GA
at this stage.  That said, it should be addressed sooner rather than
later as it looks like we're not surfacing good information to
userspace under these circumstances.

-Sara