Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27388
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
Message-ID: <45A6A524.20404@zend.com>
Date: Thu, 11 Jan 2007 12:59:16 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 2.0b1 (Windows/20061206)
MIME-Version: 1.0
To: Stefan Esser <sesser@hardened-php.net>
CC:  internals@lists.php.net
References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> <45A67E74.1080904@zend.com> <45A6891E.8070302@hardened-php.net>
In-Reply-To: <45A6891E.8070302@hardened-php.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: stas@zend.com (Stanislav Malyshev)

> First of all PHP group is doing nothing. Neither do they improve PHP's
> security nor do they stop well known PHP license abusers (because they
> are friends).

OK, that's just not true and it is obvious to anybody with access to the 
commit logs (namely, everybody) - bugs are getting fixed and 
improvements are getting done. You may argue they are not enough, but 
you certainly can not claim that nothing at all is done. As for the 
alleged license abuse, I am aware of your sensitivity in this regard, 
however this has nothing to do with the subject of security, so it would 
be very good if we stick to the subject.

> And do I need to remind you about a certain bug in the new super duper
> Zend Memory manager that results in a far too small buffer being allocated?

Actually yes, you do - I don't remember any unfixed bugs in Zend MM, so 
if you know of an unfixed vulnerability there please do remind about it 
- preferably through the security list, of course, so all the usual 
people see it.

> against PHP. And god knows how many other places are vulnerable because
> of the new "improved" Zend Memory Manager.

If you have ideas on how to make it work better, you are more than 
welcome to discuss it. By "discuss" I mean the thing regular people mean 
- exchange ideas, evaluate their merits and hopefully reach decision 
that is best for all, not that one participant calls others liars, 
morons and useless marketing droids, dismisses everything they say as 
propaganda and refuses to contribute anything. Any discussion in the 
former sense is more than welcome, if you want to help - you can write 
your proposals to me, for example. Last time I asked about this I got 
response in lines of "why should I help?". However, the door is still 
very much open.

> And what about the heap underflow bug in ext/filter... Also not a remote
> exploit?

Again, I was under impression the underflow bug was fixed. If you know 
about another, unfixed one - please... you know.

> The fact that you do not know about any remote exploit against PHP is
> quite irrelevant for reality.

I can't avoid noticing that you forgot to answer my question. To remind, 
my question was not "is my knowledge seems adequate to you". My question 
was "what did you mean by recognizing the reality by the PHP group and 
what do you propose to do". Could you please try again?
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/