Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96632
Return-Path: <pthreads@pthreads.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33291 invoked from network); 28 Oct 2016 10:03:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Oct 2016 10:03:56 -0000
Authentication-Results: pb1.pair.com header.from=pthreads@pthreads.org; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=pthreads@pthreads.org; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain pthreads.org from 74.125.82.41 cause and error)
X-PHP-List-Original-Sender: pthreads@pthreads.org
X-Host-Fingerprint: 74.125.82.41 mail-wm0-f41.google.com  
Received: from [74.125.82.41] ([74.125.82.41:38643] helo=mail-wm0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 90/41-15170-B8223185 for <internals@lists.php.net>; Fri, 28 Oct 2016 06:03:56 -0400
Received: by mail-wm0-f41.google.com with SMTP id n67so103183713wme.1
        for <internals@lists.php.net>; Fri, 28 Oct 2016 03:03:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pthreads-org.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=TDfnm+VdE2ypY8H1tAcWg9WXdUFmxjuYasqu2rrbFjI=;
        b=NngBKE1ShXVa3pmoMwuaabCEVIEfgUToOzZsF6PGgJSQCYXAzzHtFqpyAbvan11cEv
         xWAFr4gCd8efF5w+vfG2UKVObb8+jsym6Ye16ov0mVfnJOruzHEEzIyPerF+fNQwOl3r
         1Lqn3oPZ8hJ5WpU4fNPgHMGRSgWKd461Z/7oyfTZpfZ+OwKe8vVFHosUGriTrrS2X4Rw
         IxAkX59OXmL7k1MymyWuSFbFw2TVkafkeuEdyaXjzyjFiVeo4lpwoPMtbOwJnG6jvoeR
         9ERiehvcgZvHaug7/jvu1jcRU4hZ2z36GcIhReO1V0idGWkcuKoH/acbIumeGotl/hxb
         +sJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=TDfnm+VdE2ypY8H1tAcWg9WXdUFmxjuYasqu2rrbFjI=;
        b=XakzNP8Zeqza8iAXjf5wl5xuPf9jHfduPUSccX0nG/DcDXRQIAZ1Zo99v/UuDUVO2r
         LkVJr1Kqg+OWAu1qNhypBF+d2RnL4LnANS5w7sJpfnZKNk3eznShzJam86Fr/CK8biE7
         KoRgaZI0imAMsJ4SL2KA2hEtbnC3hz6d2jX2m3cR9k3VrIHMufe5Zpws1FGkl6Eb0azf
         g7C6M0WCP116BuUjhMLHmZCG8bY9YK5athBKUm/LsLxjJIF5/ru6KWiCGvgf5NNJa08N
         3UTYszePzD/At5kXzKDkd5lSiw1B9aNehdcM1LYjFCLW8MAUxYiI3s4alZyo5s8iwh2d
         vXig==
X-Gm-Message-State: ABUngvd1+tolL6mJ959GUjAN2LPrZGhyHA8nq7P9F8tYmNd5nb1on6k0v0MFESR7sIEaG+NBJKqioM1MJuFAQg==
X-Received: by 10.194.116.225 with SMTP id jz1mr11012116wjb.224.1477649032541;
 Fri, 28 Oct 2016 03:03:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.161.230 with HTTP; Fri, 28 Oct 2016 03:03:51 -0700 (PDT)
X-Originating-IP: [109.157.179.157]
In-Reply-To: <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org>
References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org>
Date: Fri, 28 Oct 2016 11:03:51 +0100
Message-ID: <CAL=_i_=D1wSv6NjoQJQiVCo_1ZnQ6eJnZmFom6LwKU6RdyEC_w@mail.gmail.com>
To: Remi Collet <remi@fedoraproject.org>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1130ca92b00f3f053fe9f91f
Subject: Re: [PHP-DEV] bug classification discussion
From: pthreads@pthreads.org (Joe Watkins)

--001a1130ca92b00f3f053fe9f91f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Morning,

    Trying to re-shape our own classification system seems like a good idea=
.

    I have no good idea of how to write such a document, would be happy to
review (and make other people review) if someone were to start.

Cheers
Joe

On Fri, Oct 28, 2016 at 10:18 AM, Remi Collet <remi@fedoraproject.org>
wrote:

> Le 24/10/2016 =C3=A0 07:23, Stanislav Malyshev a =C3=A9crit :
> > Hi!
> >
> > We have had a bunch of bugs recently which are essentially one and the
> > same issue: PHP 5.6 allows only int-sized strings, but many functions
> > don't check the size of the string they produce. This can lead to int
> > overflows inside php and also can break other libraries that also assum=
e
> > string sizes are ints and this can cause all kinds of weirdness.
> > However, these bugs are very unlikely to manifest in production setting
> > for one simple reason - they require PHP to run with no memory limit,
> > and I haven't seen many setups that run with no memory limit. I'm not
> > going to go into specifics here, since some of the issues are still not
> > fixed, but you can talk to me privately if you need examples or browse
> > changelogs of later 5.6 releases.
> >
> > A twin brother of this is in 7.0 where there are just integer overflows
> > in string size calculations. Usually that requires huge strings as
> > inputs, so also requires running with no memory limit.
> >
> > These bugs are now treated as security issues,
>
> My main concern is not to know if we treat this bugs as security or not.
>
> It is mainly about "classification", and I think "low" risk bugs should
> be fixed using the normal bug process (going in a RC versions) rather
> than a specific process (fixed only at GA time), which should be
> reserved for higher risk bugs.
>
>
> Remi
>
>
>

--001a1130ca92b00f3f053fe9f91f--