Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96631 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29869 invoked from network); 28 Oct 2016 09:18:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Oct 2016 09:18:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=remi@fedoraproject.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=remi@fedoraproject.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fedoraproject.org from 217.70.183.197 cause and error) X-PHP-List-Original-Sender: remi@fedoraproject.org X-Host-Fingerprint: 217.70.183.197 relay5-d.mail.gandi.net Received: from [217.70.183.197] ([217.70.183.197:39222] helo=relay5-d.mail.gandi.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 74/B0-15170-7E713185 for ; Fri, 28 Oct 2016 05:18:33 -0400 Received: from mfilter47-d.gandi.net (mfilter47-d.gandi.net [217.70.178.178]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id 13D6B41C093 for ; Fri, 28 Oct 2016 11:18:29 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter47-d.gandi.net Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197]) by mfilter47-d.gandi.net (mfilter47-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id f03a2ELYI8_K for ; Fri, 28 Oct 2016 11:18:26 +0200 (CEST) X-Originating-IP: 90.109.100.243 Received: from builder.remirepo.net (LFbn-1-6148-243.w90-109.abo.wanadoo.fr [90.109.100.243]) (Authenticated sender: contact@ll-experts.com) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id F013B41C0C6 for ; Fri, 28 Oct 2016 11:18:25 +0200 (CEST) To: internals@lists.php.net References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> Message-ID: <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org> Date: Fri, 28 Oct 2016 11:18:19 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DHrL1M73VVgmixm3CfDI5q7LKL6g11QTd" Subject: Re: [PHP-DEV] bug classification discussion From: remi@fedoraproject.org (Remi Collet) --DHrL1M73VVgmixm3CfDI5q7LKL6g11QTd Content-Type: multipart/mixed; boundary="Qq5F8LM6ugMSdJDN6I6pL3IWEX79B92UH"; protected-headers="v1" From: Remi Collet To: internals@lists.php.net Message-ID: <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org> Subject: Re: [PHP-DEV] bug classification discussion References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> In-Reply-To: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> --Qq5F8LM6ugMSdJDN6I6pL3IWEX79B92UH Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Le 24/10/2016 =C3=A0 07:23, Stanislav Malyshev a =C3=A9crit : > Hi! >=20 > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overflows inside php and also can break other libraries that also assum= e > string sizes are ints and this can cause all kinds of weirdness. > However, these bugs are very unlikely to manifest in production setting= > for one simple reason - they require PHP to run with no memory limit, > and I haven't seen many setups that run with no memory limit. I'm not > going to go into specifics here, since some of the issues are still not= > fixed, but you can talk to me privately if you need examples or browse > changelogs of later 5.6 releases. >=20 > A twin brother of this is in 7.0 where there are just integer overflows= > in string size calculations. Usually that requires huge strings as > inputs, so also requires running with no memory limit. >=20 > These bugs are now treated as security issues,=20 My main concern is not to know if we treat this bugs as security or not. It is mainly about "classification", and I think "low" risk bugs should be fixed using the normal bug process (going in a RC versions) rather than a specific process (fixed only at GA time), which should be reserved for higher risk bugs. Remi --Qq5F8LM6ugMSdJDN6I6pL3IWEX79B92UH-- --DHrL1M73VVgmixm3CfDI5q7LKL6g11QTd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlgTF+EACgkQYUppBSnxahhPvgCeMU4O7YDK/veKVEQv1vxGzzXW +MoAoIl8zc2wDeVOhVkR94B5fbN4zV2w =GGqk -----END PGP SIGNATURE----- --DHrL1M73VVgmixm3CfDI5q7LKL6g11QTd--