oss-sec mailing list archives
Re: CVE assignment for PHP 5.6.27 and 7.0.12
From: Remi Collet <remi () fedoraproject org>
Date: Tue, 18 Oct 2016 14:14:26 +0200
Le 18/10/2016 à 14:06, Adam Maris a écrit :
On 18/10/16 09:42, Lior Kaplan wrote:Hi, Please assign a CVE for the following issue: Bug #73147 Use After Free in unserialize() https://bugs.php.net/bug.php?id=73147 http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f Thanks, Kaplan16 bugs marked as 'security' were fixed in php 5.6.27 of which only one has CVE assigned. Here you request CVE for another one issue (even the documentation says it's unsafe to use unserialize on untrusted input). Are you planning to obtain CVEs also for other security bugs or do you treat the rest as CVE-unworthy? Or are reporters/community supposed to do it?
All the remaining bugs, despite reported as security issue, involved some very big strings to reproduce (~2GB) Which is prevented by any decent memory_limit value And by max_input_size for remote access. Remi P.S. just my 0,02€, but indeed, CVE-unworthy
Thanks!
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Adam Maris (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Remi Collet (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Emmanuel Law (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Adam Maris (Oct 18)