oss-sec mailing list archives
Re: Re: CVE Request: Double Free in PHP
From: Joshua Rogers <oss () internot info>
Date: Tue, 30 Dec 2014 17:13:37 +1100
On 30/12/14 17:02, cve-assign () mitre org wrote:
No, CVE-2014-9425 is only for the Zend/zend_ts_hash.c issue with: 142 tsrm_mutex_free(ht->mx_reader); 143 tsrm_mutex_free(ht->mx_reader); We generally can't change the scope of a CVE ID to include additional bugs after that CVE ID has been sent to oss-security. Otherwise, anyone developing a remediation for a CVE would typically see their remediation suddenly become incomplete because the meaning of the CVE changed.
Yes, that's my bad, sorry. For some reason I saw CVE-2014-9425 as the /ext/fileinfo/libmagic/apprentice.c CVE-ID, too, that you provided in a private email.(For reference on the mailing list, this bug: https://bugs.php.net/bug.php?id=68665)
Also, for example, information showing a double-free issue (aka CWE-415) would not be combined with information showing a use-after-free issue (aka CWE-416). That situation would have two CVE IDs even if the reports were sent together and were, say, specifically about PHP 5.6.4.
OK, great. Thanks, -- -- Joshua Rogers <https://internot.info/>
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: Re: CVE Request: Double Free in PHP Joshua Rogers (Dec 29)
- Re: CVE Request: Double Free in PHP cve-assign (Dec 29)