It was reported [1] that apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. Upstream commit with the fix: http://git.php.net/?p=php-src.git;a=commit;h=a72cd07f2983dc43a6bb35209dc4687852e53c09 [1]: https://bugs.php.net/bug.php?id=68665
Created php tracking bugs for this issue: Affects: fedora-all [bug 1178716]
Per comment on https://bugs.php.net/bug.php?id=68665 PHP is not affected as erealloc never return NULL. A request to revoke this CVE have be sent to oss-security.com
As per comment #2, Red Hat Product Security Team does not consider this issue as a security flaw. Closing this bug as NOTABUG