Re: Issues without CVE names in PHP 5.3.4/5.2.15 release

[Pierre Joye <pierre.php () gmail com>]

hi,

oh my bad, I did not see that they were listed under the security
enhancement and I reviewed the announce... :P

On Mon, Dec 13, 2010 at 7:09 PM, Vincent Danen <vdanen () redhat com> wrote:
> * [2010-12-13 18:47:19 +0100] Pierre Joye wrote:
>
> > On Mon, Dec 13, 2010 at 5:33 PM, Vincent Danen <vdanen () redhat com> wrote:
> > > Looking at the PHP web site, there are a few issues fixed in the most
> > > recent releases that don't seem to have a CVE name:
> > >
> > > * Fixed crash in zip extract method (possible CWE-170).
> >
> > Was requested and was not considered as worth a CVE #
>
> Ok.
>
> > > * Fixed symbolic resolution support when the target is a DFS share.
> >
> > Why does it require a CVE #? That's not a security fix but a fix about
> > DFS support on Windows (did not work).
>
> Well, CVEs are, by definition, for security issues.  When your release
> notes indicate "fixed foo" under the heading "Security Enhancements and
> Fixes", one assumes they are security-relevant, and if they're
> security-relevant, generally they get CVE names.
>
> > > * Fixed extract() to do not overwrite $GLOBALS and $this when using
> > > EXTR_OVERWRITE.
> >
> > Not sure either if it requires one.
>
> I can't tell because I can't find any information, however if you don't
> believe this is security-relevant, I won't pursue it.  However, I would
> question whether or not it is worth listing under "security enhancements
> and fixes" instead of just "key bug fixes"?
>
> > > Also doesn't seem to be much info on these readily available.
> > >
> > > The first seems to be related to this SVN commit (don't see a bug for
> > > it):
> > >
> > > http://svn.php.net/viewvc?view=revision&revision=305848
> > >
> > > The second seems to be Windows-specific and is this bug (haven't found
> > > the SVN commit for it yet):
> > >
> > > http://bugs.php.net/bug.php?id=51945
> > >
> > > The third seems to be 5.2-specific (no mention in the 5.3 changes), but
> > > I've not yet found the bug or SVN commit.
> >
> > In any case I would like to remember you security () php net as well. We
> > also added now a security flag in our bug tracker, Joe should have
> > access to them as well, ping me if more of the redhat team needs it,
> > or other distrubutions.
>
> I wasn't sure if I had missed some discussion about this or not, so
> instead of burdening the security team directly, I brought it up here
> (also under the assumption that others would read the release page notes
> and see those items listed under security fixes and may have the same
> questions).
>
> Thanks for the info.
>
> --
> Vincent Danen / Red Hat Security Response Team



-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org