RE: [PHP-DEV] bug classification discussion

2016-11-09 Thread Anatol Belski
Hi, > -Original Message- > From: jakub@gmail.com [mailto:jakub@gmail.com] On Behalf Of Jakub > Zelenka > Sent: Wednesday, November 2, 2016 8:36 PM > To: Stanislav Malyshev > Cc: PHP Internals ; Remi Collet > > Subject: Re: [PHP-DEV] bug classification dis

Re: [PHP-DEV] bug classification discussion

2016-11-02 Thread Jakub Zelenka
Hi, On Mon, Oct 24, 2016 at 6:23 AM, Stanislav Malyshev wrote: > Hi! > > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overfl

Re: [PHP-DEV] bug classification discussion

2016-11-01 Thread Yasuo Ohgaki
Hi Stas, On Sun, Oct 30, 2016 at 2:21 PM, Stanislav Malyshev wrote: > So I wrote a first version of the document Anatol mentioned: > > https://wiki.php.net/security > > Please comment. Fixes to the grammar and typos are especially welcome > (you can just do them in the wiki without asking :) Nic

RE: [PHP-DEV] bug classification discussion

2016-11-01 Thread Anatol Belski
Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Tuesday, November 1, 2016 6:14 PM > To: Nikita Popov > Cc: Anatol Belski ; PHP Internals > ; Remi Collet > Subject: Re: [PHP-DEV] bug classification discussion >

Re: [PHP-DEV] bug classification discussion

2016-11-01 Thread Stanislav Malyshev
Hi! > Yet one thing seems to be missing - security issue, that only > concerns an unstable branch. Those are probably can be handled as low > severity, as any pre GA or master are not for production anyway. > Still they should not be disclosed until fixed, but should be fine to > fix at any point

Re: [PHP-DEV] bug classification discussion

2016-11-01 Thread Stanislav Malyshev
Hi! > I'm also wondering under which category unserialize() issues would > (usually) fall. I'd assume "low" (because requires documented insecure > code + well known class of vulnerabilities). I'd say medium. While it's documented that unserializing external strings is unsafe, there is code out t

RE: [PHP-DEV] bug classification discussion

2016-11-01 Thread Anatol Belski
> -Original Message- > From: Nikita Popov [mailto:nikita@gmail.com] > Sent: Tuesday, November 1, 2016 10:32 AM > To: Stanislav Malyshev > Cc: Anatol Belski ; PHP Internals > ; Remi Collet > Subject: Re: [PHP-DEV] bug classification discussion > > On S

Re: [PHP-DEV] bug classification discussion

2016-11-01 Thread Nikita Popov
On Sun, Oct 30, 2016 at 6:21 AM, Stanislav Malyshev wrote: > Hi! > > So I wrote a first version of the document Anatol mentioned: > > https://wiki.php.net/security > > Please comment. Fixes to the grammar and typos are especially welcome > (you can just do them in the wiki without asking :) > It

Re: [PHP-DEV] bug classification discussion

2016-10-31 Thread Joe Watkins
Original Message- > > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > > Sent: Sunday, October 30, 2016 6:21 AM > > To: Anatol Belski ; 'PHP Internals' > > > > Cc: 'Remi Collet' > > Subject: Re: [PHP-DEV] bug classification discu

RE: [PHP-DEV] bug classification discussion

2016-10-31 Thread Anatol Belski
Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Sunday, October 30, 2016 6:21 AM > To: Anatol Belski ; 'PHP Internals' > > Cc: 'Remi Collet' > Subject: Re: [PHP-DEV] bug classification discussion &g

Re: [PHP-DEV] bug classification discussion

2016-10-29 Thread Stanislav Malyshev
Hi! So I wrote a first version of the document Anatol mentioned: https://wiki.php.net/security Please comment. Fixes to the grammar and typos are especially welcome (you can just do them in the wiki without asking :) -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Develop

Re: [PHP-DEV] bug classification discussion

2016-10-29 Thread Pierre Joye
Hi, On Oct 28, 2016 10:33 PM, "Ferenc Kovacs" wrote: > > On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet > wrote: > > > Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > > > Hi! > > > > > > We have had a bunch of bugs recently which are essentially one and the > > > same issue: PHP 5.6 allows

Re: [PHP-DEV] bug classification discussion

2016-10-28 Thread Ferenc Kovacs
On Fri, Oct 28, 2016 at 11:18 AM, Remi Collet wrote: > Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > > Hi! > > > > We have had a bunch of bugs recently which are essentially one and the > > same issue: PHP 5.6 allows only int-sized strings, but many functions > > don't check the size of t

Re: [PHP-DEV] bug classification discussion

2016-10-28 Thread Joe Watkins
Morning, Trying to re-shape our own classification system seems like a good idea. I have no good idea of how to write such a document, would be happy to review (and make other people review) if someone were to start. Cheers Joe On Fri, Oct 28, 2016 at 10:18 AM, Remi Collet wrote: > Le

Re: [PHP-DEV] bug classification discussion

2016-10-28 Thread Remi Collet
Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > Hi! > > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overflows inside ph

RE: [PHP-DEV] bug classification discussion

2016-10-24 Thread Anatol Belski
> -Original Message- > From: Anatol Belski [mailto:anatol@belski.net] > Sent: Monday, October 24, 2016 3:45 PM > To: 'Stanislav Malyshev' ; 'PHP Internals' > > Cc: 'Remi Collet' > Subject: RE: [PHP-DEV] bug classification di

RE: [PHP-DEV] bug classification discussion

2016-10-24 Thread Anatol Belski
Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Monday, October 24, 2016 7:23 AM > To: PHP Internals > Cc: Remi Collet > Subject: [PHP-DEV] bug classification discussion > > Hi! > > We have had a bunch of bugs recently which are essentially