Re: CVE Request/Clarification - PHP

["mancha" <mancha1 () hush com>]

On Fri, 07 Mar 2014 15:31:00 +0000 cve-assign () mitre org wrote:
> > Two issues were recently identified as security concerns in
> > libmagic: CVE-2014-1943 (infinite recursion flaw) &
> > CVE-2014-2270 (improper bounds checking).
> >
> > What is the policy regarding CVE allocation for products
> > vulnerable by virtue of bundling copies of vulnerable products
> > (as opposed to, say, linking vulnerable system libraries)?
> >
> > I bring this up because PHP embeds a copy of libmagic
>
> A CVE assignment for libmagic (in the file product) can be used
> by all vendors who bundle libmagic. Different copies of libmagic
> in different products do not have separate CVE IDs.
>
> -- 
> CVE assignment team, MITRE CVE Numbering Authority

Many thanks for that clarification.

--mancha