|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44299 PCRE security issue
Submitted: 2008-02-29 23:58 UTC Modified: 2008-07-17 15:44 UTC
Avg. Score:4.5 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: test_junk at hotmail dot it Assigned: nlopess (profile)
Status: Closed Package: PCRE related
PHP Version: 4.4.8 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: test_junk at hotmail dot it
New email:
PHP Version: OS:


 [2008-02-29 23:58 UTC] test_junk at hotmail dot it

PCRE versions prior to 7.6 are affected by a vulnerability:

Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue?



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-01 22:52 UTC]
I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this?
 [2008-03-03 08:17 UTC]
From what I can see from their ChangeLog:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a
    buffer overflow.

Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release.
 [2008-03-03 10:50 UTC]
Yes, that's true. This is only a problem if the program uses user-supplied regexes.
I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0).
Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason.
 [2008-03-04 19:35 UTC] test_junk at hotmail dot it
There are several script using eval() statement in an unsafe manner (i.e., this makes the vulnerability remotely exploitable and potentially dangerous.
 [2008-07-17 01:00 UTC]
Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..)
 [2008-07-17 15:44 UTC]
ok, I've upgraded it today.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Oct 16 09:03:33 2021 UTC