ID: 44299 Updated by: [EMAIL PROTECTED] Reported By: test_junk at hotmail dot it -Status: Assigned +Status: Closed Bug Type: PCRE related Operating System: * PHP Version: 4.4.8 Assigned To: nlopess New Comment:
ok, I've upgraded it today. Previous Comments: ------------------------------------------------------------------------ [2008-07-17 01:00:06] [EMAIL PROTECTED] Nuno, didn't you already upgrade PCRE in PHP_4_4 branch..? (for the last release..) ------------------------------------------------------------------------ [2008-03-04 19:35:42] test_junk at hotmail dot it There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous. ------------------------------------------------------------------------ [2008-03-03 10:50:03] [EMAIL PROTECTED] Yes, that's true. This is only a problem if the program uses user-supplied regexes. I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0). Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason. ------------------------------------------------------------------------ [2008-03-03 08:17:02] [EMAIL PROTECTED] >From what I can see from their ChangeLog: 1. A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. Which is only an issue for the expression, and not "input" - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release. ------------------------------------------------------------------------ [2008-03-01 22:52:54] [EMAIL PROTECTED] I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/44299 -- Edit this bug report at http://bugs.php.net/?id=44299&edit=1