From coley at mitre.org  Mon Oct  6 17:11:15 2014
From: coley at mitre.org (Steven M. Christey)
Date: Mon, 6 Oct 2014 18:11:15 -0400 (EDT)
Subject: [VIM] Possible third-party code dupes? (CVE-2014-4043/glibc and
 CVE-2014-1950/Xen)
Message-ID: <Pine.GSO.4.64.1410061806560.9075@faron.mitre.org>


All,

BID:68006 is ostensibly for a UAF in GNU glibc, CVE-2014-4043, but 
mentions the xc_cpupool_getinfo() function whereas most sources focus on 
posix_spawn_file_actions_addopen(), which doesn't follow the POSIX 
specification in a way that could open applications to UAFs.

xc_cpupool_getinfo() is associated with CVE-2014-1950 in Xen, and is 
called a UAF.

The researcher credits are different, though BID:68006 credits the same 
people as for CVE-2014-4043.

Was Xen vulnerable to the same glibc issue (which would suggest a CVE 
dupe)?  Or is this a copy-and-paste issue in the BID?

- Steve