Date: Sun, 04 Jan 2015 11:11:21 +1100 From: Joshua Rogers <oss@...ernot.info> To: oss-security@...ts.openwall.com Subject: Fwd: Re: CVE Request Question I'm forwarding this to oss-security just for the interest of documentation. Thanks, -------- Forwarded Message -------- Subject: Re: CVE Request Question Date: Mon, 29 Dec 2014 11:38:17 -0500 (EST) From: cve-assign@...re.org To: bugreports@...ernot.info CC: cve-assign@...re.org > https://bugs.php.net/bug.php?id=68665 As far as we can tell, Bug #68665 has two completely unrelated bugs and you are perhaps asking about CVE IDs for both of them. First, there is an apprentice.c bug: > I found an invalid free that will cause a crash/memory corruption in the > master repo(git) of PHP: > http://git.php.net/?p=php-src.git;a=commit;h=a72cd07f2983dc43a6bb35209dc4687852e53c09 [ and in PHP 5.6 http://git.php.net/?p=php-src.git;a=commit;h=ef89ab2f99fbd9b7b714556d4f1f50644eb54191 ] Use CVE-2014-9426. Then, there is a zend_language_scanner.c bug: > I found an invalid free that will cause a crash/memory corruption in the > master repo(git) of PHP: > > http://git.php.net/?p=php-src.git;a=commit;h=68dd8e8bd7c994dd7a127535d6b4cd22e8c1fc28 > > and a test case: > > http://git.php.net/?p=php-src.git;a=commit;h=67c47e7861a612634bc56525163b6c781aada8db > > But from a PHP dev, regarding whether a CVE-ID should be assigned: > > Hmm, I'd say no. The language scanner one is master only, so shouldn't have been used in any production. > > I'm just wondering if even though it's only in master, it falls within > scope of CVE-ID's? There is currently no CVE ID for this. The practice that we follow is not the same for every piece of software. For example, in the past we have assigned CVE IDs for vulnerabilities in FFmpeg that did not affect any FFmpeg release. The rationale for this is that Google was incorporating unreleased FFmpeg code into Chrome. In the case of PHP, we do not know of (for example) current cases in which a Linux distribution ships packages based on using the PHP master tree at an arbitrary point in time. Also, we have not seen PHP maintainers advertise that end users should individually use master. Accordingly, for PHP, master seems to not directly correspond to a "product," and at least some of the bugs are a reflection of the code being in an indeterminate development state. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ