Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96635
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62518 invoked from network); 28 Oct 2016 15:33:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Oct 2016 15:33:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.41 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 74.125.82.41 mail-wm0-f41.google.com  
Received: from [74.125.82.41] ([74.125.82.41:34132] helo=mail-wm0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EE/73-43407-7CF63185 for <internals@lists.php.net>; Fri, 28 Oct 2016 11:33:27 -0400
Received: by mail-wm0-f41.google.com with SMTP id 140so14526828wmv.1
        for <internals@lists.php.net>; Fri, 28 Oct 2016 08:33:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=o+fjA1GFC+qrPLxjrivdZ01SYN9SHl+GFxSYWCwOX/4=;
        b=1BhtGXmqd5Aj1FdlL9C4jidTc/4yyLK84tEYKgkmuRpOJ8/ecRw6daD70pSZKwByhx
         ABTLr6PkSTVmh+L3I07aR9IyNeEGn62kJSDsJRI90TKW5cj1GgQknahF/thXDcmDmPKv
         oRmGumw6RqnbTJYwwsAROw4hofQcAUVkVd1KKVuVCNtcneAHjoXJZWTUHFXesa1JjmwZ
         yHFtcWaPqWza2RzD2rVy0EUkJjUFIuauW5g1R0e7C3PDrcw3KttwNNOomFq/yXwhqhUA
         sMtKHEu0Q00x4gXs74FLQQg8lkhAfbPOsIdfLSU7ej9/6uXfmtN4KadT/p8YZVifxhqp
         qf7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=o+fjA1GFC+qrPLxjrivdZ01SYN9SHl+GFxSYWCwOX/4=;
        b=Jz7QoZGel9NSkSGMOTtXSJsognUm7tbLqpcMQcLu5WzPv9TUi1ueVxsymRBSKtjb9B
         XVob5iJ3kFUE5niCzK0FliKMk7F8Lef8oYlJHN6Ve5N0bgpxNqBVPLR2QVse/QLWNNNi
         ffx7am6YqV6N8CLz5Qiiu3f6EW5EdAfIv3pTZrOPl7aVSf8JYPGqYMQ9TainOcnq3ztP
         XCPDai7fAh7beZemaVAXgkABfRUmZ6RA2xREDMyB9WTbFb23c9gDyLjDkJeF4MletgXX
         m8LJfuutiqbj92owHCbITyElnZsX2Fb8QWg4E+8kt9bQXNWNSle575Fx8PGXuw+RAi/C
         cFMQ==
X-Gm-Message-State: ABUngvd5OQHxHDrUnPstgxh9mPjLbAue8eXGmVTQzwAlRtffrfx0UJnUBJAH8wwDov+9Q+TaGugOkORkL407UA==
X-Received: by 10.194.175.166 with SMTP id cb6mr11836310wjc.84.1477668803940;
 Fri, 28 Oct 2016 08:33:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.29.36 with HTTP; Fri, 28 Oct 2016 08:33:23 -0700 (PDT)
In-Reply-To: <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org>
References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org>
Date: Fri, 28 Oct 2016 17:33:23 +0200
Message-ID: <CAH-PCH7O2SoBcfzYdAupTYTWVpuiQWriSMaJi7nWMUbSDzU9oQ@mail.gmail.com>
To: Remi Collet <remi@fedoraproject.org>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013d0f1a27a3a1053fee94f6
Subject: Re: [PHP-DEV] bug classification discussion
From: tyra3l@gmail.com (Ferenc Kovacs)

--089e013d0f1a27a3a1053fee94f6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet <remi@fedoraproject.org>
wrote:

> Le 24/10/2016 =C3=A0 07:23, Stanislav Malyshev a =C3=A9crit :
> > Hi!
> >
> > We have had a bunch of bugs recently which are essentially one and the
> > same issue: PHP 5.6 allows only int-sized strings, but many functions
> > don't check the size of the string they produce. This can lead to int
> > overflows inside php and also can break other libraries that also assum=
e
> > string sizes are ints and this can cause all kinds of weirdness.
> > However, these bugs are very unlikely to manifest in production setting
> > for one simple reason - they require PHP to run with no memory limit,
> > and I haven't seen many setups that run with no memory limit. I'm not
> > going to go into specifics here, since some of the issues are still not
> > fixed, but you can talk to me privately if you need examples or browse
> > changelogs of later 5.6 releases.
> >
> > A twin brother of this is in 7.0 where there are just integer overflows
> > in string size calculations. Usually that requires huge strings as
> > inputs, so also requires running with no memory limit.
> >
> > These bugs are now treated as security issues,
>
> My main concern is not to know if we treat this bugs as security or not.
>
> It is mainly about "classification", and I think "low" risk bugs should
> be fixed using the normal bug process (going in a RC versions) rather
> than a specific process (fixed only at GA time), which should be
> reserved for higher risk bugs.
>
>
> Remi
>
>
>
I agree with Remi, these should be fixed via the normal development process
so we can catch any issues during the RC.
These are basically the same issue, they can be exploited the same way
(which I agree that has a low Exploitability) so we don't really gain much
by keeping them until the final release but we risk a lot from skipping the
general QA process.


--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--089e013d0f1a27a3a1053fee94f6--