oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Re: CVE Request Question

From: Joshua Rogers <oss () internot info>
Date: Sun, 04 Jan 2015 11:11:21 +1100
I'm forwarding this to oss-security just for the interest of documentation.


Thanks,


-------- Forwarded Message --------
Subject:     Re: CVE Request Question
Date:     Mon, 29 Dec 2014 11:38:17 -0500 (EST)
From:     cve-assign () mitre org
To:     bugreports () internot info
CC:     cve-assign () mitre org




https://bugs.php.net/bug.php?id=68665


As far as we can tell, Bug #68665 has two completely unrelated bugs
and you are perhaps asking about CVE IDs for both of them.

First, there is an apprentice.c bug:


I found an invalid free that will cause a crash/memory corruption in the
master repo(git) of PHP:





http://git.php.net/?p=php-src.git;a=commit;h=a72cd07f2983dc43a6bb35209dc4687852e53c09

[ and in PHP 5.6

http://git.php.net/?p=php-src.git;a=commit;h=ef89ab2f99fbd9b7b714556d4f1f50644eb54191
]

Use CVE-2014-9426.


Then, there is a zend_language_scanner.c bug:


I found an invalid free that will cause a crash/memory corruption in the
master repo(git) of PHP:



http://git.php.net/?p=php-src.git;a=commit;h=68dd8e8bd7c994dd7a127535d6b4cd22e8c1fc28


and a test case:



http://git.php.net/?p=php-src.git;a=commit;h=67c47e7861a612634bc56525163b6c781aada8db


But from a PHP dev, regarding whether a CVE-ID should be assigned:

Hmm, I'd say no. The language scanner one is master only, so

shouldn't have been used in any production.


I'm just wondering if even though it's only in master, it falls within
scope of CVE-ID's?


There is currently no CVE ID for this. The practice that we follow is
not the same for every piece of software. For example, in the past we
have assigned CVE IDs for vulnerabilities in FFmpeg that did not
affect any FFmpeg release. The rationale for this is that Google was
incorporating unreleased FFmpeg code into Chrome. In the case of PHP,
we do not know of (for example) current cases in which a Linux
distribution ships packages based on using the PHP master tree at an
arbitrary point in time. Also, we have not seen PHP maintainers
advertise that end users should individually use master. Accordingly,
for PHP, master seems to not directly correspond to a "product," and
at least some of the bugs are a reflection of the code being in an
indeterminate development state.

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: