Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72701 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67232 invoked from network); 20 Feb 2014 10:44:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Feb 2014 10:44:16 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.41 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.41 mail-la0-f41.google.com Received: from [209.85.215.41] ([209.85.215.41:40489] helo=mail-la0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8F/00-00813-D7CD5035 for ; Thu, 20 Feb 2014 05:44:14 -0500 Received: by mail-la0-f41.google.com with SMTP id mc6so1202788lab.0 for ; Thu, 20 Feb 2014 02:44:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=+gsbBFNIxKzGhDlMl7uu9WlJptW08fjKb+FWvHRew9Y=; b=ONvgRtJ/NYvomhnsoKE/cXLFTxavLIbrTIDwDOmDFseHTpEYApW6LDaiD4TCBpFnwR fVge2T8O4ummRZctnmPDySOxpjbFxRXHmoMiUAphUgD8goushaXH7Oer+Mn/AzrCRJXt z6ldK5rhtWvqhtRmPc2VAf8B1F+dUQ9mOdv4Up3vIYdRMXaRZbMZX5HD4LMDtpWuH49O NYp7xz7Yg9mbBSbPsCTsfgLiCfyRnuUn/6GwLpaJpQpwAEC9VyL6vzUTd4NeqgL9Mahd Fp4thshWDxINq9AoF+7xBYTKlLKgWbh+t/hJ7idsBqXzWEOq8Jp8ncaBDw0AO6D7CH16 4I9g== X-Received: by 10.152.36.70 with SMTP id o6mr699030laj.7.1392893051163; Thu, 20 Feb 2014 02:44:11 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Thu, 20 Feb 2014 02:43:31 -0800 (PST) In-Reply-To: References: Date: Thu, 20 Feb 2014 19:43:31 +0900 X-Google-Sender-Auth: PL4AgpH_w7ERPVWaOs_z47tN0ts Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0160b618865a0e04f2d42ff2 Subject: Re: [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160b618865a0e04f2d42ff2 Content-Type: text/plain; charset=UTF-8 Hi all, On Mon, Feb 10, 2014 at 12:56 PM, Yasuo Ohgaki wrote: > > Short term: Multibyte Char Handling > https://wiki.php.net/rfc/multibyte_char_handling > Add functions required to resolve security issues. CVE-2014-1239 > https://wiki.php.net/rfc/multibyte_char_handling#vote Vote is declined 2 vs 10. > > Long term: Alternative implementation of mbstring using ICU > https://wiki.php.net/rfc/altmbstring > We need multibyte feature as default. However, current mbstring has > license issues. Resolve license issues by alternative mbstring in the > future. Introduce mbstring-ng as EXPERIMENTAL module for further > development, testing, feedback from users. > Vote is declined 1 vs 10. Thank you for voting all! I do not care much about long term solution, but short term solution. It seems there is a misunderstanding how vulnerabilities should be evaluated by developers. If one is developer of a product, vulnerability should be evaluated only by *consequence*, not the probability, number of affected users, etc. One should not evaluate his/her product's vulnerability as an user. If user is not affected, any vulnerabilities are not important even if it is a vulnerability that executes arbitrarily codes. This is a bug that may allow attackers to execute their code. Consequence is fatal. I hope everyone follow this vulnerability evaluation principle next time. I'm sure this is good for us ;) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0160b618865a0e04f2d42ff2--