Morning,
Trying to re-shape our own classification system seems like a good idea.
I have no good idea of how to write such a document, would be happy to
review (and make other people review) if someone were to start.
Cheers
Joe
On Fri, Oct 28, 2016 at 10:18 AM, Remi Collet <r...@fedoraproject.org>
wrote:
> Le 24/10/2016 à 07:23, Stanislav Malyshev a écrit :
> > Hi!
> >
> > We have had a bunch of bugs recently which are essentially one and the
> > same issue: PHP 5.6 allows only int-sized strings, but many functions
> > don't check the size of the string they produce. This can lead to int
> > overflows inside php and also can break other libraries that also assume
> > string sizes are ints and this can cause all kinds of weirdness.
> > However, these bugs are very unlikely to manifest in production setting
> > for one simple reason - they require PHP to run with no memory limit,
> > and I haven't seen many setups that run with no memory limit. I'm not
> > going to go into specifics here, since some of the issues are still not
> > fixed, but you can talk to me privately if you need examples or browse
> > changelogs of later 5.6 releases.
> >
> > A twin brother of this is in 7.0 where there are just integer overflows
> > in string size calculations. Usually that requires huge strings as
> > inputs, so also requires running with no memory limit.
> >
> > These bugs are now treated as security issues,
>
> My main concern is not to know if we treat this bugs as security or not.
>
> It is mainly about "classification", and I think "low" risk bugs should
> be fixed using the normal bug process (going in a RC versions) rather
> than a specific process (fixed only at GA time), which should be
> reserved for higher risk bugs.
>
>
> Remi
>
>
>
