Re: CVE Request: Double Free in PHP

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I found in total I believe 5(don't quote me on that)
> double-free's/use-after-frees/invalid-free's in PHP. Should I use the
> same CVE-ID for all of them?

No, CVE-2014-9425 is only for the Zend/zend_ts_hash.c issue with:

  142        tsrm_mutex_free(ht->mx_reader);
  143        tsrm_mutex_free(ht->mx_reader);

We generally can't change the scope of a CVE ID to include additional
bugs after that CVE ID has been sent to oss-security. Otherwise,
anyone developing a remediation for a CVE would typically see their
remediation suddenly become incomplete because the meaning of the CVE
changed.

Also, for example, information showing a double-free issue (aka
CWE-415) would not be combined with information showing a
use-after-free issue (aka CWE-416). That situation would have two CVE
IDs even if the reports were sent together and were, say, specifically
about PHP 5.6.4.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUoj9VAAoJEKllVAevmvmsjZAIAIiB2XLN1HEx0qnqGoTTxRFe
s1pRLB48bsLRrxixLOw4dS1ueawH2ss4t0M37IiAbEtu+OBnOrdSSVDLqtmVC7FJ
06vFIZIs0E+CArmo7FbgwBDwf36SOkrxB4XtuBHMXoDFh1OQAhcAeaig1lQaLOmU
OBIOoYj9FTiZF5vYcKBqoeKP6Y3B4T7AEQLgqoiSL0MHd2pZWiiTHRm2afQXf8MD
BeGnPJvIsf1ouh3yVG+j4ON+GbtX9J1jAwS6Blf2oIsin6f7uobPq7bqr+VeFxUl
Vg3BoWPdL1Vxsv5F2Id6R8bERh4ORqBCFksTQeC9EP3pVFftP++pHzjJxEtXa0Q=
=J3p7
-----END PGP SIGNATURE-----