Re: Issues without CVE names in PHP 5.3.4/5.2.15 release

[Pierre Joye <pierre.php () gmail com>]

hi,

On Mon, Dec 13, 2010 at 5:33 PM, Vincent Danen <vdanen () redhat com> wrote:
> Looking at the PHP web site, there are a few issues fixed in the most
> recent releases that don't seem to have a CVE name:
>
> * Fixed crash in zip extract method (possible CWE-170).

Was requested and was not considered as worth a CVE #


> * Fixed symbolic resolution support when the target is a DFS share.

Why does it require a CVE #? That's not a security fix but a fix about
DFS support on Windows (did not work).

> * Fixed extract() to do not overwrite $GLOBALS and $this when using
> EXTR_OVERWRITE.

Not sure either if it requires one.

> Also doesn't seem to be much info on these readily available.
>
> The first seems to be related to this SVN commit (don't see a bug for
> it):
>
> http://svn.php.net/viewvc?view=revision&revision=305848
>
> The second seems to be Windows-specific and is this bug (haven't found
> the SVN commit for it yet):
>
> http://bugs.php.net/bug.php?id=51945
>
> The third seems to be 5.2-specific (no mention in the 5.3 changes), but
> I've not yet found the bug or SVN commit.

In any case I would like to remember you security () php net as well. We
also added now a security flag in our bug tracker, Joe should have
access to them as well, ping me if more of the redhat team needs it,
or other distrubutions.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org