Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:32371 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98915 invoked by uid 1010); 18 Sep 2007 20:50:56 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 98900 invoked from network); 18 Sep 2007 20:50:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2007 20:50:56 -0000 Authentication-Results: pb1.pair.com header.from=seanius@seanius.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=seanius@seanius.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: seanius@seanius.net X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Received: from [66.93.22.232] ([66.93.22.232:35877] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DA/C7-56209-F2A30F64 for ; Tue, 18 Sep 2007 16:50:55 -0400 Received: from rangda.local (h-234-204.A189.cust.bahnhof.se [81.170.234.204]) by cobija.connexer.com (Postfix) with ESMTP id 6BD1217C2E1; Tue, 18 Sep 2007 16:50:52 -0400 (EDT) To: internals@lists.php.net Date: Tue, 18 Sep 2007 22:52:04 +0200 User-Agent: KMail/1.9.7 Cc: Stanislav Malyshev References: <200709182130.44018.seanius@seanius.net> <46F02CDD.50706@zend.com> In-Reply-To: <46F02CDD.50706@zend.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1553441.4oQ4xp419h"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-ID: <200709182252.11222.seanius@seanius.net> Subject: Re: [PHP-DEV] CVE-2007-4840 From: seanius@seanius.net (sean finney) --nextPart1553441.4oQ4xp419h Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 18 September 2007 09:54:05 pm Stanislav Malyshev wrote: > > i'm just going through the latest batch of CVE's and it doesn't look li= ke > > there's a fix for CVE-2007-4840 yet: > > It's funny that glibc bug gets listed as PHP issue. But I think we may > impose limit on charset length for iconv. ah, so it's a glibc issue then? istr a similar thing come up with truetype= =20 fonts that ended up being a bug in the tr1 lib, but because the PoC used ph= p=20 it was classified as a php vulnerabity. if it's the same case here then i= =20 think the onus is on glibc... /me goes to r some tfm and headers... sean --nextPart1553441.4oQ4xp419h Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBG8Dp7ynjLPm522B0RAipnAJsFvWz98F6WWPtGaTIK7pUi9/j8cACeKG1p i1spXJ8rWocpRqmkMIF73qI= =Ww+h -----END PGP SIGNATURE----- --nextPart1553441.4oQ4xp419h--