Date: Thu, 06 Mar 2014 04:45:50 +0000 From: "mancha" <mancha1@...h.com> To: oss-security@...ts.openwall.com Subject: CVE Request/Clarification - PHP Hello. Two issues were recently identified as security concerns in libmagic: CVE-2014-1943 (infinite recursion flaw) & CVE-2014-2270 (improper bounds checking). What is the policy regarding CVE allocation for products vulnerable by virtue of bundling copies of vulnerable products (as opposed to, say, linking vulnerable system libraries)? I bring this up because PHP embeds a copy of libmagic which it uses in its fileinfo extension. PHP has since patched its embedded libmagic to address above-mentioned issues: ,. In the event this merits separate CVEs, please allocate. If not, this thread can serve to clarify MITRE policy regarding inherited vulnerabilities as well as provide a heads up for vendors shipping PHP. Thanks. --mancha Upstream PHP Fixes:  http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547 (CVE-2014-1943)  http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd27 (CVE-2014-2270)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ