[php-maint] Bug#668067: Bug#668067: [php5-common] Nonsensical part about configuration known to be inherently insecure in README.Debian.security

Filipus Klutiero chealer at gmail.com
Sun Apr 8 19:23:29 UTC 2012 

Hi Thijs,

On 2012-04-08 13:16, Thijs Kinkhorst wrote:
> On Sun, April 8, 2012 18:31, Filipus Klutiero wrote:
>> Package: php5-common
>> Version: 5.4.1~rc1-1
>> Severity: normal
>>
>> README.Debian.security starts:
>>
>>> The Debian stable security team does not provide security support for
>>> certain configurations known to be inherently insecure. This includes
>>> the interpreter itself, extensions, and user scripts written in the PHP
>>> language.
>> This is at least most unclear. How would the PHP interpreter be a
>> configuration known to be inherently insecure?
> If I add "features in", does it get clear to you what's meant?
>
> | The Debian stable security team does not provide security support for
> | certain configurations known to be inherently insecure. This includes
> | features in the interpreter itself, extensions, and user scripts written
> | in the PHP language. Most specifically, but not exclusively, the
> | security team will not provide support for the following.

I'm not sure. This raises the question "Are features configurations?"

Looking at the list of specific cases/examples:

>  * Security issues which are caused by careless programming, such as:
>    - extracting a tar file without first checking the contents;
>    - using unserialize() on untrusted data;
>    - relying on a specific value of short_open_tag.

Only the last example makes me think of configuration.

>
>  * Vulnerabilities involving any kind of open_basedir violation, as
>    this feature is not considered a security model either by us or by
>    PHP upstream.

That does make me think of configuration.

>
>  * Any "works as expected" vulnerabilities, such as "user can cause
>    PHP to crash by writing a malicious PHP script", unless such
>    vulnerabilities involve some kind of higher-level DoS or privilege
>    escalation that would not otherwise be available.

That doesn't make me think of configuration.

More information about the pkg-php-maint mailing list