Hi Ondřej,
On 2012-02-08 13:33, Ondřej Surý wrote:
On Wed, Feb 8, 2012 at 18:03, Filipus Klutiero<chea...@gmail.com> wrote:
We provide some examples to illustrate that: putting untrusted data into
tar or unserialize functions without further checking may result in
adverse effects.
I see. Could you please provide example CVEs, or the names of the specific
relevant tar functions?
No, and there is no reason to do that. It's not meant as definitive list, but
a list of few examples. I have run the current text[1] through our Debian L10N
English team and my opinion is that the text now accurately reflects PHP 5.4
security policy.
Although mentioning these in the README may be a good idea, all I meant
to ask was to provide these to me via this report, so I can get a good
understanding of what the README intended to say and suggest a phrasing
that reflects the intended meaning.
You have never provided a consistent text we can use and
would make you happy (and yes I have checked both bug reports and the only
thing you have suggested was that we delete whole paragraph) and clearly
we cannot come to reasonable consensus, also because you consistently pick
new things (like this email).
I don't know what you mean by "picking new things", but I did provide a
text in the initial report:
Sloppy developers do not use problems, although crackers may.
This is unclear and I frankly wouldn't know how to reformulate besides:
> - application code
I don't know if you consider this text as consistent. As I said, I am
still not sure I understand what the text wants to say.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
