ID: 44299 Updated by: [EMAIL PROTECTED] Reported By: test_junk at hotmail dot it Status: Assigned Bug Type: PCRE related Operating System: * PHP Version: 4.4.8 -Assigned To: derick +Assigned To: nlopess New Comment:
Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..) Previous Comments: ------------------------------------------------------------------------ [2008-03-04 19:35:42] test_junk at hotmail dot it There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous. ------------------------------------------------------------------------ [2008-03-03 10:50:03] [EMAIL PROTECTED] Yes, that's true. This is only a problem if the program uses user-supplied regexes. I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0). Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason. ------------------------------------------------------------------------ [2008-03-03 08:17:02] [EMAIL PROTECTED] >From what I can see from their ChangeLog: 1. A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release. ------------------------------------------------------------------------ [2008-03-01 22:52:54] [EMAIL PROTECTED] I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this? ------------------------------------------------------------------------ [2008-02-29 23:58:05] test_junk at hotmail dot it Description: ------------ Hello, PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786 Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue? Thanks ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44299&edit=1