oss-sec mailing list archives
Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8
From: Pierre Joye <pierre.php () gmail com>
Date: Sun, 25 Sep 2011 11:49:41 +0200
On Sun, Sep 25, 2011 at 11:18 AM, Stas Malyshev <smalyshev () sugarcrm com> wrote:
I'm concerned that if we do it this way people would take it as "PHP has security bug in is_a and it was fixed in this version, so as long as we run updated version we're OK", not "my code has gaping security hole which by pure luck wasn't exploitable but minor change made it exploitable". If we don't make it crystal clear the latter and not the former is the case, we'd have same problem with 5.4.
That's a valid concern however it is another matter. My suggestion would be: - get a CVE and assign it to the bug - be sure to get the right information in the CVE . about why it is not a flaw in php itself per se but a behavior change that could introduce a flaw in existing php scripts . these php scripts were not following our guidance or good practice guide - Be sure we update the upgrade guide, the NEWS file, the documentation and the announce to clearly explain and define this problem and its consequences Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Vincent Danen (Sep 24)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Stas Malyshev (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Stas Malyshev (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Stas Malyshev (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- RE: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Zeev Suraski (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Rasmus Lerdorf (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- Re: Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Vincent Danen (Sep 26)
- Re: Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Johannes Schlüter (Sep 26)
- Re: Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 26)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Pierre Joye (Sep 25)
- Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Stas Malyshev (Sep 25)