On Thu, Nov 17, 2005 at 07:38:18PM -0500, Antoine Beaupre wrote: > Package: php4 > Version: 4:4.3.10-16 > Followup-For: Bug #336645
> http://www.hardened-php.net/index.76.html > This page explains why the so-called 'globals overwrite' bug matters, > even regardless of the register_globals setting. To put it briefly, the > $GLOBALS array can be accessed directly by other functions that assume > a propar initialization that might have been destroyed by the overwrite. > Not sure that is clear enough, read the page above if not. I've read that page; the issue is that I don't see any description of a method of *causing* a $GLOBALS overwrite that doesn't fall into the category of "stupid variable handling". AFAICT, this error only occurs when a PHP application takes arbitrary variable names from an untrusted source, either by register_globals or by manually reimplementing register_globals-like behavior. I can understand that it's desirable to update PHP so that such stupid variable handling can't be exploited, but it looks to me like the fundamental bug is in the PHP applications that are doing stupid things with variables -- *not* with the PHP engine itself. So, to my eye, this doesn't seem to be a bug that warrants a stable security update; but I've cc:ed the Security Team for comment. If Debian is actually shipping applications which can be exploited in this manner, then doing one security update for PHP may be better than doing one for each affected app. Anyway, if you can point me to any evidence that this is exploitable in a default config by means that don't rely on bad PHP coding practices, by all means I would push the Security Team to include an update. Or if the Security Team themselves feel an update is warranted, I'm more than happy to prepare one at their request regardless. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature