[php-maint] Bug#639230: [php5] README.Debian.security: unclear reference to unserialize() risk

Filipus Klutiero chealer at gmail.com
Thu Aug 25 07:05:25 UTC 2011

Package: php5
Version: 5.3.8-1
Severity: minor

README.Debian.security contains:

> Most specifically, the security team will not provide
> support for flaws in:
> - problems which are not flaws in the design of php but can be problematic
>   when used by sloppy developers (for example: not checking the contents
>   of a tar file before extracting it, using unserialize() on
>   untrusted data, or relying on a specific value of short_open_tag).

It is unclear to me how using unserialize() on untrusted data would 
create a particular risk. Do you perhaps mean extract()?

More information about the pkg-php-maint mailing list