Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit : > Hi! > > We have had a bunch of bugs recently which are essentially one and the > same issue: PHP 5.6 allows only int-sized strings, but many functions > don't check the size of the string they produce. This can lead to int > overflows inside php and also can break other libraries that also assume > string sizes are ints and this can cause all kinds of weirdness. > However, these bugs are very unlikely to manifest in production setting > for one simple reason - they require PHP to run with no memory limit, > and I haven't seen many setups that run with no memory limit. I'm not > going to go into specifics here, since some of the issues are still not > fixed, but you can talk to me privately if you need examples or browse > changelogs of later 5.6 releases. > > A twin brother of this is in 7.0 where there are just integer overflows > in string size calculations. Usually that requires huge strings as > inputs, so also requires running with no memory limit. > > These bugs are now treated as security issues,
My main concern is not to know if we treat this bugs as security or not. It is mainly about "classification", and I think "low" risk bugs should be fixed using the normal bug process (going in a RC versions) rather than a specific process (fixed only at GA time), which should be reserved for higher risk bugs. Remi
signature.asc
Description: OpenPGP digital signature