Re: Re: CVE Request: Double Free in PHP

[Joshua Rogers <oss () internot info>]

On 30/12/14 17:02, cve-assign () mitre org wrote:
> No, CVE-2014-9425 is only for the Zend/zend_ts_hash.c issue with:
>
>   142        tsrm_mutex_free(ht->mx_reader);
>   143        tsrm_mutex_free(ht->mx_reader);
>
> We generally can't change the scope of a CVE ID to include additional
> bugs after that CVE ID has been sent to oss-security. Otherwise,
> anyone developing a remediation for a CVE would typically see their
> remediation suddenly become incomplete because the meaning of the CVE
> changed.
Yes, that's my bad, sorry.
For some reason I saw CVE-2014-9425 as the
/ext/fileinfo/libmagic/apprentice.c CVE-ID, too, that you provided in a
private email.(For reference on the mailing list, this bug:
https://bugs.php.net/bug.php?id=68665)

> Also, for example, information showing a double-free issue (aka
> CWE-415) would not be combined with information showing a
> use-after-free issue (aka CWE-416). That situation would have two CVE
> IDs even if the reports were sent together and were, say, specifically
> about PHP 5.6.4.
OK, great.



Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature