oss-sec mailing list archives
Re: Issues without CVE names in PHP 5.3.4/5.2.15 release
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 13 Dec 2010 11:09:15 -0700
* [2010-12-13 18:47:19 +0100] Pierre Joye wrote:
On Mon, Dec 13, 2010 at 5:33 PM, Vincent Danen <vdanen () redhat com> wrote:Looking at the PHP web site, there are a few issues fixed in the most recent releases that don't seem to have a CVE name: * Fixed crash in zip extract method (possible CWE-170).Was requested and was not considered as worth a CVE #
Ok.
* Fixed symbolic resolution support when the target is a DFS share.Why does it require a CVE #? That's not a security fix but a fix about DFS support on Windows (did not work).
Well, CVEs are, by definition, for security issues. When your release notes indicate "fixed foo" under the heading "Security Enhancements and Fixes", one assumes they are security-relevant, and if they're security-relevant, generally they get CVE names.
* Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE.Not sure either if it requires one.
I can't tell because I can't find any information, however if you don't believe this is security-relevant, I won't pursue it. However, I would question whether or not it is worth listing under "security enhancements and fixes" instead of just "key bug fixes"?
Also doesn't seem to be much info on these readily available. The first seems to be related to this SVN commit (don't see a bug for it): http://svn.php.net/viewvc?view=revision&revision=305848 The second seems to be Windows-specific and is this bug (haven't found the SVN commit for it yet): http://bugs.php.net/bug.php?id=51945 The third seems to be 5.2-specific (no mention in the 5.3 changes), but I've not yet found the bug or SVN commit.In any case I would like to remember you security () php net as well. We also added now a security flag in our bug tracker, Joe should have access to them as well, ping me if more of the redhat team needs it, or other distrubutions.
I wasn't sure if I had missed some discussion about this or not, so instead of burdening the security team directly, I brought it up here (also under the assumption that others would read the release page notes and see those items listed under security fixes and may have the same questions). Thanks for the info. --Vincent Danen / Red Hat Security Response Team
Current thread:
- Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Raphael Geissert (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)