Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72702 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69041 invoked from network); 20 Feb 2014 10:55:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Feb 2014 10:55:57 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com Received: from [209.85.217.169] ([209.85.217.169:62157] helo=mail-lb0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6A/60-00813-C3FD5035 for ; Thu, 20 Feb 2014 05:55:56 -0500 Received: by mail-lb0-f169.google.com with SMTP id q8so1226090lbi.28 for ; Thu, 20 Feb 2014 02:55:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=rO4nQMQab7RwLJ4IdbcnEoMrdmr9ur3ilslSlC58xVI=; b=an5Wnh4r0X2nNVJp61emoEIwauzMSkFv6Zp/8SEwAJrrEVP6/3U7C73cVo4BH8OPrB lzokMAnb2FU01KLQqrvbLn36xh9O3dI+7Z4p+x4o+tvc7U/ZsVcB4EJybCGy6RQwPiQj r8sdsBo6gWODqbuZdKiNVQEskinXwZy7pSQNAzTzpAnn/svb1rwkxGj/qYHl6s/ooKhF 779xWccWR8HdAfxzVMjbpY2l/f0O/a+Q8sIiGPUCYkOao3oJItSRjN1xNRXOXEJZbkuj zIJmJ93/CGPu/1hgYhZUgngglJaIYRU3V0nb5G1dClZy8dmsKQ9IxWnJJyzFPeMl6cqL 1Lgg== X-Received: by 10.152.26.135 with SMTP id l7mr705468lag.43.1392893753276; Thu, 20 Feb 2014 02:55:53 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Thu, 20 Feb 2014 02:55:13 -0800 (PST) In-Reply-To: References: Date: Thu, 20 Feb 2014 19:55:13 +0900 X-Google-Sender-Auth: bB-nTOQv-3Bk4tSoijcVH0OP93w Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0160c2be5ffc5404f2d459da Subject: Re: [VOTE] Multbye char handling - Remove vulnerability related to multibyte short and long term From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160c2be5ffc5404f2d459da Content-Type: text/plain; charset=UTF-8 Hi all, On Thu, Feb 20, 2014 at 7:43 PM, Yasuo Ohgaki wrote: > On Mon, Feb 10, 2014 at 12:56 PM, Yasuo Ohgaki wrote: > >> >> Short term: Multibyte Char Handling >> https://wiki.php.net/rfc/multibyte_char_handling >> Add functions required to resolve security issues. CVE-2014-1239 >> > > https://wiki.php.net/rfc/multibyte_char_handling#vote > > Vote is declined 2 vs 10. > > >> >> Long term: Alternative implementation of mbstring using ICU >> https://wiki.php.net/rfc/altmbstring >> We need multibyte feature as default. However, current mbstring has >> license issues. Resolve license issues by alternative mbstring in the >> future. Introduce mbstring-ng as EXPERIMENTAL module for further >> development, testing, feedback from users. >> > > Vote is declined 1 vs 10. > > Thank you for voting all! > > I do not care much about long term solution, but short term solution. > > It seems there is a misunderstanding how vulnerabilities should be > evaluated by developers. If one is developer of a product, vulnerability > should be evaluated only by *consequence*, not the probability, number of > affected users, etc. > > One should not evaluate his/her product's vulnerability as an user. If > user is not affected, any vulnerabilities are not important even if it is a > vulnerability that executes arbitrarily codes. This is a bug that may allow > attackers to execute their code. Consequence is fatal. I hope everyone > follow this vulnerability evaluation principle next time. I'm sure this is > good for us ;) > I forgot to ask what should we do for this bug. Thank you for your suggestions! Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0160c2be5ffc5404f2d459da--