[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE Request: Double Free in PHP
From:       Joshua Rogers <oss () internot ! info>
Date:       2014-12-30 6:13:37
Message-ID: 54A24291.1010809 () internot ! info
[Download RAW message or body]


On 30/12/14 17:02, cve-assign@mitre.org wrote:
> No, CVE-2014-9425 is only for the Zend/zend_ts_hash.c issue with:
>
>   142        tsrm_mutex_free(ht->mx_reader);
>   143        tsrm_mutex_free(ht->mx_reader);
>
> We generally can't change the scope of a CVE ID to include additional
> bugs after that CVE ID has been sent to oss-security. Otherwise,
> anyone developing a remediation for a CVE would typically see their
> remediation suddenly become incomplete because the meaning of the CVE
> changed.
Yes, that's my bad, sorry.
For some reason I saw CVE-2014-9425 as the
/ext/fileinfo/libmagic/apprentice.c CVE-ID, too, that you provided in a
private email.(For reference on the mailing list, this bug:
https://bugs.php.net/bug.php?id=68665)

> Also, for example, information showing a double-free issue (aka
> CWE-415) would not be combined with information showing a
> use-after-free issue (aka CWE-416). That situation would have two CVE
> IDs even if the reports were sent together and were, say, specifically
> about PHP 5.6.4.
OK, great.



Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]