oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8

From: Pierre Joye <pierre.php () gmail com>
Date: Sun, 25 Sep 2011 11:49:41 +0200
On Sun, Sep 25, 2011 at 11:18 AM, Stas Malyshev <smalyshev () sugarcrm com> wrote:


I'm concerned that if we do it this way people would take it as "PHP has
security bug in is_a and it was fixed in this version, so as long as we run
updated version we're OK", not "my code has gaping security hole which by
pure luck wasn't exploitable but minor change made it exploitable". If we
don't make it crystal clear the latter and not the former is the case, we'd
have same problem with 5.4.


That's a valid concern however it is another matter.

My suggestion would be:

- get a CVE and assign it to the bug

- be sure to get the right information in the CVE
  .  about why it is not a flaw in php itself per se but a behavior
change that could introduce a flaw in existing php scripts
     . these php scripts were not following our guidance or good practice guide

- Be sure we update the upgrade guide, the NEWS file, the
documentation and the announce to clearly explain and define this
problem and its consequences

Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Previous By Date Next
Previous By Thread Next

Current thread: