Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15027
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9907 invoked by uid 1010); 16 Feb 2005 16:41:24 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 9439 invoked from network); 16 Feb 2005 16:41:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Feb 2005 16:41:17 -0000
X-Host-Fingerprint: 66.198.51.121 lerdorf.com Linux 2.4/2.6
Received: from ([66.198.51.121:38631] helo=colo.lerdorf.com)
	by pb1.pair.com (ecelerity 1.2 (r4437)) with SMTP
	id 91/A6-13867-C1773124 for <internals@lists.php.net>; Wed, 16 Feb 2005 11:38:54 -0500
Received: from [192.168.2.106] (c-24-6-1-160.client.comcast.net [24.6.1.160])
	(authenticated bits=0)
	by colo.lerdorf.com (8.13.3/8.13.3/Debian-6) with ESMTP id j1GGcbbD026638
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Wed, 16 Feb 2005 08:38:38 -0800
Message-ID: <4213770D.10604@lerdorf.com>
Date: Wed, 16 Feb 2005 08:38:37 -0800
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Zeev Suraski <zeev@zend.com>
CC: PHPdev <internals@lists.php.net>
References: <5.1.0.14.2.20050216084242.056694c0@localhost> <5.1.0.14.2.20050215233642.0d784990@localhost> <42125B21.30807@bitflux.ch> <5.1.0.14.2.20050215182040.056cc500@localhost> <59389e98fc650b5609e63cd2de28d863@daleenterprise.com> <5.1.0.14.2.20050214162726.03794bd0@localhost> <200502150114.j1F1E29s030012@box2.fiddy8.com> <4e89b42605021417572dc61cd6@mail.gmail.com> <Pine.LNX.4.58.0502142347330.974@miranda.org> <59389e98fc650b5609e63cd2de28d863@daleenterprise.com> <5.1.0.14.2.20050215182040.056cc500@localhost> <5.1.0.14.2.20050215233642.0d784990@localhost> <5.1.0.14.2.20050216084242.056694c0@localhost> <5.1.0.14.2.20050216120637.0afc75f0@localhost>
In-Reply-To: <5.1.0.14.2.20050216120637.0afc75f0@localhost>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Anyone against requiring libxml2 2.6.x  for	PHP5.1?
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Zeev Suraski wrote:
> Well, I do, I think it's actually much more important than forcing a 
> fairly small subset of the users to update PHP when there's a new 
> security-related version of libxml2 coming out (for most of the users, 
> local exploits are of no interest, it's mostly interesting to hosting 
> providers, so most libxml2 issues are not very relevant to the majority 
> of PHP users).

Given the way XML is used in xmlrpc and SOAP systems, I don't think I 
would classify a security problem in libxml as a local exploit.  Much 
more so than any other library, libxml2 is going to be reading remote 
xml data and acting on the contents so chances are any security problem 
in it is going to lead to a remote exploit.  For example, a recent one:

http://seclists.org/lists/fulldisclosure/2004/Nov/0084.html

With an exploit here:

http://www.k-otik.com/exploits/20041026.libxml2.c.php

-Rasmus