PHP :: Bug #44299 :: PCRE security issue

Bug #44299

PCRE security issue

Submitted:

2008-02-29 23:58 UTC

Modified:

2008-07-17 15:44 UTC

Votes:	4
Avg. Score:	4.5 ± 0.9
Reproduced:	2 of 3 (66.7%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

test_junk at hotmail dot it

Assigned:

nlopess (profile)

Status:

Closed

Package:

PCRE related

PHP Version:

4.4.8

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	test_junk at hotmail dot it
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-02-29 23:58 UTC] test_junk at hotmail dot it

Description:
------------
Hello,

PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786

Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue?

Thanks

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-01 22:52 UTC] nlopess@php.net

I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this?

[2008-03-03 08:17 UTC] derick@php.net

From what I can see from their ChangeLog:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a
    buffer overflow.

Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release.

[2008-03-03 10:50 UTC] nlopess@php.net

Yes, that's true. This is only a problem if the program uses user-supplied regexes.
I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0).
Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason.

[2008-03-04 19:35 UTC] test_junk at hotmail dot it

There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous.

[2008-07-17 01:00 UTC] jani@php.net

Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..)

[2008-07-17 15:44 UTC] nlopess@php.net

ok, I've upgraded it today.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 02:00:01 2025 UTC