php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44299 PCRE security issue
Submitted: 2008-02-29 23:58 UTC Modified: 2008-07-17 15:44 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: test_junk at hotmail dot it Assigned: nlopess (profile)
Status: Closed Package: PCRE related
PHP Version: 4.4.8 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
46 + 50 = ?
Subscribe to this entry?

 
 [2008-02-29 23:58 UTC] test_junk at hotmail dot it
Description:
------------
Hello,

PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786

Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue?

Thanks


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-01 22:52 UTC] nlopess@php.net
I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this?
 [2008-03-03 08:17 UTC] derick@php.net
From what I can see from their ChangeLog:

1.  A character class containing a very large number of characters with
    codepoints greater than 255 (in UTF-8 mode, of course) caused a
    buffer overflow.

Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release.
 [2008-03-03 10:50 UTC] nlopess@php.net
Yes, that's true. This is only a problem if the program uses user-supplied regexes.
I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0).
Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason.
 [2008-03-04 19:35 UTC] test_junk at hotmail dot it
There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous.
 [2008-07-17 01:00 UTC] jani@php.net
Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..)
 [2008-07-17 15:44 UTC] nlopess@php.net
ok, I've upgraded it today.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Dec 08 23:03:35 2021 UTC