Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96637 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36246 invoked from network); 29 Oct 2016 10:11:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Oct 2016 10:11:10 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.174 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.217.174 mail-ua0-f174.google.com Received: from [209.85.217.174] ([209.85.217.174:34826] helo=mail-ua0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C0/47-25911-CB574185 for ; Sat, 29 Oct 2016 06:11:10 -0400 Received: by mail-ua0-f174.google.com with SMTP id 12so72418186uas.2 for ; Sat, 29 Oct 2016 03:11:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=o029kvUUi7p6Rr7vk3o5cW4d85MO27OouRZ2ry8JNNU=; b=IAY6H1HZMcyhtgpuBTD3znyFvrbITspdai9metxRxGSk4bNCeduFw9Cynp4+r4pwQu n7bdu5Lbs5WTqMiOn1rk6e3S8N3sEZTM39u3V96nDHzhDt5FiPdU/vhhMo9pCghy5KU8 DJtzC9Gz1NYQtJm3bX1xPUlRCRWrc4bSptEM1kWe0E8jvD+DVoRXbLTUBC/1xRzGJ9dm gGEXDA1yQB4q9xDumnp7sNXh2hGvO2LT6arwztsh5B8wh7gGItf9uOeMzsA0Z1Fit2Eb 0EWV6vnDFzUetG1Bb7ekXcPbrlja2FhBYEugx2aAuKvnfPkiOjRAbrtEiL3ukTExy3+g lMKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=o029kvUUi7p6Rr7vk3o5cW4d85MO27OouRZ2ry8JNNU=; b=mRQGs23fmbcx0l0Jh3Rrs+8LiWcBmc6yHXuBYmQy3x9fr7LbrplxNa63RR38GmHLZz wLbatAuIYiPdaZqiPsDNmDqzGyj+xS4SaHZa4IBjcOp7msn0smXqxhjBNjNlHF7I5Bvg XBWk0lJWLDYwmtsw6X0VVAjip4VciY4GMjG3mssSi4EiQIdJ6rRePdkWOfeR09yW6ulu BVpofSLlkVzwj/3ZYiGVJG5s71IEYxe+0kAQcmLBYWxxl4ErhFBFceHxj+XhAdFxKJi9 ug1kmAeqiQpgHzXarPcy5AySuMHdEvHKLCbSI6VDmkmq8dWFFJnKFGDi4ONKdRGv6ste oQKg== X-Gm-Message-State: ABUngvc5wh0yLt1RAEb7VtEmGPai8v93uiSQlAu1VwN+Mrp34U8Qzg2YBJ+OnyE9vpHQdlJOBmxmBkwa0L5LNA== X-Received: by 10.176.6.70 with SMTP id f64mr16189171uaf.118.1477735865207; Sat, 29 Oct 2016 03:11:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.36.108 with HTTP; Sat, 29 Oct 2016 03:11:03 -0700 (PDT) Received: by 10.159.36.108 with HTTP; Sat, 29 Oct 2016 03:11:03 -0700 (PDT) In-Reply-To: References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <573da963-6121-3231-b603-4c5d6b332c9d@fedoraproject.org> Date: Sat, 29 Oct 2016 17:11:03 +0700 Message-ID: To: Ferenc Kovacs Cc: PHP internals , Remi Collet Content-Type: multipart/alternative; boundary=94eb2c122e705152e6053ffe314d Subject: Re: [PHP-DEV] bug classification discussion From: pierre.php@gmail.com (Pierre Joye) --94eb2c122e705152e6053ffe314d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On Oct 28, 2016 10:33 PM, "Ferenc Kovacs" wrote: > > On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet > wrote: > > > Le 24/10/2016 =C3=A0 07:23, Stanislav Malyshev a =C3=A9crit : > > > Hi! > > > > > > We have had a bunch of bugs recently which are essentially one and th= e > > > same issue: PHP 5.6 allows only int-sized strings, but many functions > > > don't check the size of the string they produce. This can lead to int > > > overflows inside php and also can break other libraries that also assume > > > string sizes are ints and this can cause all kinds of weirdness. > > > However, these bugs are very unlikely to manifest in production setting > > > for one simple reason - they require PHP to run with no memory limit, > > > and I haven't seen many setups that run with no memory limit. I'm not > > > going to go into specifics here, since some of the issues are still not > > > fixed, but you can talk to me privately if you need examples or brows= e > > > changelogs of later 5.6 releases. > > > > > > A twin brother of this is in 7.0 where there are just integer overflows > > > in string size calculations. Usually that requires huge strings as > > > inputs, so also requires running with no memory limit. > > > > > > These bugs are now treated as security issues, > > > > My main concern is not to know if we treat this bugs as security or not= . > > > > It is mainly about "classification", and I think "low" risk bugs should > > be fixed using the normal bug process (going in a RC versions) rather > > than a specific process (fixed only at GA time), which should be > > reserved for higher risk bugs. > > > > > > Remi > > > > > > > I agree with Remi, these should be fixed via the normal development process > so we can catch any issues during the RC. > These are basically the same issue, they can be exploited the same way > (which I agree that has a low Exploitability) so we don't really gain muc= h > by keeping them until the final release but we risk a lot from skipping the > general QA process. Thanks Stas for bringing that up. It is indeed a case by case decision, however I fully agree with Remi and Tyrael here, for the cases described by Stas initial post (or similar). It is extremely hard to do it in a short time during final phases, let alone the risk to create more damages by applying a bad fix. About marking them as low security bugs or not. I have no strong opinion. Maybe we could define what is a production environment and then define bugs affecting this environment as security issues. Cheers Pierre --94eb2c122e705152e6053ffe314d--