[php-maint] Bug#668067: Bug#668067: [php5-common] Nonsensical part about configuration known to be inherently insecure in README.Debian.security

Thijs Kinkhorst thijs at debian.org
Sun Apr 8 19:45:29 UTC 2012 

On Sun, April 8, 2012 21:23, Filipus Klutiero wrote:
> Hi Thijs,
>
> On 2012-04-08 13:16, Thijs Kinkhorst wrote:
>> On Sun, April 8, 2012 18:31, Filipus Klutiero wrote:
>>> Package: php5-common
>>> Version: 5.4.1~rc1-1
>>> Severity: normal
>>>
>>> README.Debian.security starts:
>>>
>>>> The Debian stable security team does not provide security support for
>>>> certain configurations known to be inherently insecure. This includes
>>>> the interpreter itself, extensions, and user scripts written in the
>>>> PHP
>>>> language.
>>> This is at least most unclear. How would the PHP interpreter be a
>>> configuration known to be inherently insecure?
>> If I add "features in", does it get clear to you what's meant?
>>
>> | The Debian stable security team does not provide security support for
>> | certain configurations known to be inherently insecure. This includes
>> | features in the interpreter itself, extensions, and user scripts
>> written
>> | in the PHP language. Most specifically, but not exclusively, the
>> | security team will not provide support for the following.
>
> I'm not sure. This raises the question "Are features configurations?"

Making use of a feature is most certainly a configuration.

> Looking at the list of specific cases/examples:
>
>>  * Security issues which are caused by careless programming, such as:
>>    - extracting a tar file without first checking the contents;
>>    - using unserialize() on untrusted data;
>>    - relying on a specific value of short_open_tag.
>
> Only the last example makes me think of configuration.
>
>>
>>  * Vulnerabilities involving any kind of open_basedir violation, as
>>    this feature is not considered a security model either by us or by
>>    PHP upstream.
>
> That does make me think of configuration.
>
>>
>>  * Any "works as expected" vulnerabilities, such as "user can cause
>>    PHP to crash by writing a malicious PHP script", unless such
>>    vulnerabilities involve some kind of higher-level DoS or privilege
>>    escalation that would not otherwise be available.
>
> That doesn't make me think of configuration.

You've noticed that there are at least two examples that refer to
configuration. That seems like enough examples to me. I take it that
you're ok with the proposed change then?


Thijs

More information about the pkg-php-maint mailing list