On Wed, Feb 8, 2012 at 18:03, Filipus Klutiero <firstname.lastname@example.org> wrote:
We provide some examples to illustrate that: putting untrusted data into
tar or unserialize functions without further checking may result in
I see. Could you please provide example CVEs, or the names of the specific
relevant tar functions?
No, and there is no reason to do that. It's not meant as definitive list, but
a list of few examples. I have run the current text through our Debian L10N
English team and my opinion is that the text now accurately reflects PHP 5.4
security policy. You have never provided a consistent text we can use and
would make you happy (and yes I have checked both bug reports and the only
thing you have suggested was that we delete whole paragraph) and clearly
we cannot come to reasonable consensus, also because you consistently pick
new things (like this email).