Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 04 Jan 2015 11:11:21 +1100
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Fwd: Re: CVE Request Question

I'm forwarding this to oss-security just for the interest of documentation.


Thanks,


-------- Forwarded Message --------
Subject:     Re: CVE Request Question
Date:     Mon, 29 Dec 2014 11:38:17 -0500 (EST)
From:     cve-assign@...re.org
To:     bugreports@...ernot.info
CC:     cve-assign@...re.org



> https://bugs.php.net/bug.php?id=68665

As far as we can tell, Bug #68665 has two completely unrelated bugs
and you are perhaps asking about CVE IDs for both of them.

First, there is an apprentice.c bug:

> I found an invalid free that will cause a crash/memory corruption in the
> master repo(git) of PHP:

>
http://git.php.net/?p=php-src.git;a=commit;h=a72cd07f2983dc43a6bb35209dc4687852e53c09

[ and in PHP 5.6

http://git.php.net/?p=php-src.git;a=commit;h=ef89ab2f99fbd9b7b714556d4f1f50644eb54191
]

Use CVE-2014-9426.


Then, there is a zend_language_scanner.c bug:

> I found an invalid free that will cause a crash/memory corruption in the
> master repo(git) of PHP:
>
>
http://git.php.net/?p=php-src.git;a=commit;h=68dd8e8bd7c994dd7a127535d6b4cd22e8c1fc28
>
> and a test case:
>
>
http://git.php.net/?p=php-src.git;a=commit;h=67c47e7861a612634bc56525163b6c781aada8db
>
> But from a PHP dev, regarding whether a CVE-ID should be assigned:
> > Hmm, I'd say no. The language scanner one is master only, so
shouldn't have been used in any production.
>
> I'm just wondering if even though it's only in master, it falls within
> scope of CVE-ID's?

There is currently no CVE ID for this. The practice that we follow is
not the same for every piece of software. For example, in the past we
have assigned CVE IDs for vulnerabilities in FFmpeg that did not
affect any FFmpeg release. The rationale for this is that Google was
incorporating unreleased FFmpeg code into Chrome. In the case of PHP,
we do not know of (for example) current cases in which a Linux
distribution ships packages based on using the PHP master tree at an
arbitrary point in time. Also, we have not seen PHP maintainers
advertise that end users should individually use master. Accordingly,
for PHP, master seems to not directly correspond to a "product," and
at least some of the bugs are a reflection of the code being in an
indeterminate development state.



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.