oss-sec mailing list archives
Re: CVE Request: Double Free in PHP
From: cve-assign () mitre org
Date: Tue, 30 Dec 2014 01:02:36 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I found in total I believe 5(don't quote me on that) double-free's/use-after-frees/invalid-free's in PHP. Should I use the same CVE-ID for all of them?
No, CVE-2014-9425 is only for the Zend/zend_ts_hash.c issue with: 142 tsrm_mutex_free(ht->mx_reader); 143 tsrm_mutex_free(ht->mx_reader); We generally can't change the scope of a CVE ID to include additional bugs after that CVE ID has been sent to oss-security. Otherwise, anyone developing a remediation for a CVE would typically see their remediation suddenly become incomplete because the meaning of the CVE changed. Also, for example, information showing a double-free issue (aka CWE-415) would not be combined with information showing a use-after-free issue (aka CWE-416). That situation would have two CVE IDs even if the reports were sent together and were, say, specifically about PHP 5.6.4. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUoj9VAAoJEKllVAevmvmsjZAIAIiB2XLN1HEx0qnqGoTTxRFe s1pRLB48bsLRrxixLOw4dS1ueawH2ss4t0M37IiAbEtu+OBnOrdSSVDLqtmVC7FJ 06vFIZIs0E+CArmo7FbgwBDwf36SOkrxB4XtuBHMXoDFh1OQAhcAeaig1lQaLOmU OBIOoYj9FTiZF5vYcKBqoeKP6Y3B4T7AEQLgqoiSL0MHd2pZWiiTHRm2afQXf8MD BeGnPJvIsf1ouh3yVG+j4ON+GbtX9J1jAwS6Blf2oIsin6f7uobPq7bqr+VeFxUl Vg3BoWPdL1Vxsv5F2Id6R8bERh4ORqBCFksTQeC9EP3pVFftP++pHzjJxEtXa0Q= =J3p7 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)