php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44299 PCRE security issue
Submitted: 2008-02-29 23:58 UTC Modified: 2008-07-17 15:44 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: test_junk at hotmail dot it Assigned: nlopess (profile)
Status: Closed Package: PCRE related
PHP Version: 4.4.8 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: test_junk at hotmail dot it
New email:
PHP Version: OS:

 

 [2008-02-29 23:58 UTC] test_junk at hotmail dot it
Description:
------------
Hello,

PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786

Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue?

Thanks


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-01 22:52 UTC] nlopess@php.net
I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this?
 [2008-03-03 08:17 UTC] derick@php.net
From what I can see from their ChangeLog:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a
    buffer overflow.

Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release.
 [2008-03-03 10:50 UTC] nlopess@php.net
Yes, that's true. This is only a problem if the program uses user-supplied regexes.
I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0).
Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason.
 [2008-03-04 19:35 UTC] test_junk at hotmail dot it
There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous.
 [2008-07-17 01:00 UTC] jani@php.net
Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..)
 [2008-07-17 15:44 UTC] nlopess@php.net
ok, I've upgraded it today.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Dec 08 22:03:36 2021 UTC