#44299 [Asn]: PCRE security issue
ID: 44299 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it Status: Assigned Bug Type: PCRE related Operating System: All PHP Version: 4.4.8 Assigned To: derick New Comment: There are several script using eval() statement in an unsafe manner (i.e. http://www.securityfocus.com/bid/14086), this makes the vulnerability remotely exploitable and potentially dangerous. Previous Comments: [2008-03-03 10:50:03] [EMAIL PROTECTED] Yes, that's true. This is only a problem if the program uses user-supplied regexes. I think that the most problematic thing was the pcre 7.0 BC break, that was later fixed in 7.2 (we still bundle 7.0). Anyway, Derick please reassign the bug report to me again if you want me to upgrade pcre or close it otherwise. I can always upgrade PCRE later if you decide to make a new release for some other reason. [2008-03-03 08:17:02] [EMAIL PROTECTED] From what I can see from their ChangeLog: 1. A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. Which is only an issue for the expression, and not input - so this should only be an issue if you use user-supplied input. Otherwise it's just a local-developer issue only. Which IMO doesn't warrant a new release. [2008-03-01 22:52:54] [EMAIL PROTECTED] I can upgrade it in CVS, but I'm not sure there will be any further PHP 4 release. Derick can you comment on this? [2008-02-29 23:58:05] test_junk at hotmail dot it Description: Hello, PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786 Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue? Thanks -- Edit this bug report at http://bugs.php.net/?id=44299edit=1
#44299 [NEW]: PCRE security issue
From: test_junk at hotmail dot it Operating system: All PHP version: 4.4.8 PHP Bug Type: PCRE related Bug description: PCRE security issue Description: Hello, PCRE versions prior to 7.6 are affected by a vulnerability: http://www.securityfocus.com/bid/27786 Unfortunately php 4.4.8 compiled against version 7.6 is unstable, are you going to fix this issue? Thanks -- Edit bug report at http://bugs.php.net/?id=44299edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=44299r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=44299r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=44299r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=44299r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=44299r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=44299r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=44299r=needscript Try newer version:http://bugs.php.net/fix.php?id=44299r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=44299r=support Expected behavior:http://bugs.php.net/fix.php?id=44299r=notwrong Not enough info: http://bugs.php.net/fix.php?id=44299r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=44299r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=44299r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44299r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=44299r=dst IIS Stability:http://bugs.php.net/fix.php?id=44299r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=44299r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=44299r=float No Zend Extensions: http://bugs.php.net/fix.php?id=44299r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=44299r=mysqlcfg
#40624 [Fbk-Opn]: pcrelib broken with php 4.4.5
ID: 40624 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it -Status: Feedback +Status: Open Bug Type: PCRE related Operating System: linux 2.4 i386 PHP Version: 4.4.5 New Comment: I downgraded the PCRE lib to the 6.6 release, the one shipped with php 4.4.4 and the problem appears to be resolved. It's indeed a PCRE issue, I hope they will fix it in the future releases. Previous Comments: [2007-02-28 08:01:11] [EMAIL PROTECTED] Is this issue going to be fixed in the next release? We got a workaround for it in PHP5, but we're not going to add it to PHP4, so you have to upgrade your PHP first. This issue (if it's really what it seems to be) is actually not PHP problem, but a well-known PCRE issue. Though, I wouldn't be 100% sure without a test-case. [2007-02-28 07:07:52] test_junk at hotmail dot it Is this issue going to be fixed in the next release? Unfortunately it breaks lots of things, including very popular apps. I will try to do my best in finding the responsible php code but I'm not sure it will be possibile. Thanks for your interest in this matter. [2007-02-28 00:13:38] [EMAIL PROTECTED] Yup, it does look like a stack overflow (which is a known issue in PCRE), though we would appreciate a test case anyway. [2007-02-27 23:39:19] test_junk at hotmail dot it I couldn't isolate the code yet. However the full backtrace is the following (I ran the same app twice): 1st time: #0 0x081851f2 in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:2209 #1 0x in ?? () 2nd time: #0 0x0818257f in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:1071 Cannot access memory at address 0xbf70 [2007-02-26 14:00:30] [EMAIL PROTECTED] also please post the whole backtrace, so that we can see what's happening (it may be just a stack overflow..) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40624 -- Edit this bug report at http://bugs.php.net/?id=40624edit=1
#40624 [Fbk-Opn]: pcrelib broken with php 4.4.5
ID: 40624 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it -Status: Feedback +Status: Open Bug Type: PCRE related Operating System: linux 2.4 i386 PHP Version: 4.4.5 New Comment: I couldn't isolate the code yet. However the full backtrace is the following (I ran the same app twice): 1st time: #0 0x081851f2 in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:2209 #1 0x in ?? () 2nd time: #0 0x0818257f in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:1071 Cannot access memory at address 0xbf70 Previous Comments: [2007-02-26 14:00:30] [EMAIL PROTECTED] also please post the whole backtrace, so that we can see what's happening (it may be just a stack overflow..) [2007-02-26 08:58:27] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with ?php and ends with ?, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. [2007-02-26 00:24:41] test_junk at hotmail dot it This snapshot is identical to the one I tested as far as I am seeing comparing the 2 archives, however which files did you modify? The only way I have to trigger this bug is recompiling the engine on a production server but since it breaks several websites (Drupal seems to be most affected) I can do it only at night so I can perform a limited number of attempts. [2007-02-25 23:03:49] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip sorry, can you please try again a new snapshot? I made some changes a few hours ago and I don't know if they made their way in the snapshot you tested. If it still doesn't work, please post the entire backtrace (or link to an external page if it's too big). Also please try to isolate the code that triggers the bug. [2007-02-25 22:14:37] test_junk at hotmail dot it I compiled CVS 200702251930 but unfortunately the problem persists. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40624 -- Edit this bug report at http://bugs.php.net/?id=40624edit=1
#40624 [Fbk-Opn]: pcrelib broken with php 4.4.5
ID: 40624 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it -Status: Feedback +Status: Open Bug Type: PCRE related Operating System: linux 2.4 i386 PHP Version: 4.4.5 New Comment: Is this issue going to be fixed in the next release? Unfortunately it breaks lots of things, including very popular apps. I will try to do my best in finding the responsible php code but I'm not sure it will be possibile. Thanks for your interest in this matter. Previous Comments: [2007-02-28 00:13:38] [EMAIL PROTECTED] Yup, it does look like a stack overflow (which is a known issue in PCRE), though we would appreciate a test case anyway. [2007-02-27 23:39:19] test_junk at hotmail dot it I couldn't isolate the code yet. However the full backtrace is the following (I ran the same app twice): 1st time: #0 0x081851f2 in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:2209 #1 0x in ?? () 2nd time: #0 0x0818257f in match (eptr=0x61737361 Address 0x61737361 out of bounds, ecode=0x2c69746c Address 0x2c69746c out of bounds, offset_top=1919250464, md=0x7474656d, ims=1868852837, eptrb=0x736f6320, flags=1629531331, rdepth=1702192160) at /sources/php/php-4.4.6/ext/pcre/pcrelib/pcre_exec.c:1071 Cannot access memory at address 0xbf70 [2007-02-26 14:00:30] [EMAIL PROTECTED] also please post the whole backtrace, so that we can see what's happening (it may be just a stack overflow..) [2007-02-26 08:58:27] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with ?php and ends with ?, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. [2007-02-26 00:24:41] test_junk at hotmail dot it This snapshot is identical to the one I tested as far as I am seeing comparing the 2 archives, however which files did you modify? The only way I have to trigger this bug is recompiling the engine on a production server but since it breaks several websites (Drupal seems to be most affected) I can do it only at night so I can perform a limited number of attempts. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40624 -- Edit this bug report at http://bugs.php.net/?id=40624edit=1
#40619 [Asn]: php5/FastCGI crash
ID: 40619 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it Status: Assigned Bug Type: Reproducible crash Operating System: Linux 2.6 PHP Version: 5.2.1 Assigned To: dmitry New Comment: I recompiled the last CVS with debug support in order to get a backtrace but I couldn't reproduce the problem, did you fix it? Previous Comments: [2007-02-24 17:28:18] test_junk at hotmail dot it - [2007-02-24 17:05:37] test_junk at hotmail dot it Description: Upgrading to 5.2.1 (even the last CVS) caused the malfuncion of several applications. We noticed the crash of apparently every script handling POST data. The configuration in use was php-5.2.1 + FastCGI + Apache 1.3.37, downgrading back to 5.2.0 resolved the problem. Reproduce code: --- test.html: form enctype=multipart/form-data action=test.php method=post input type=hidden name=MAX_FILE_SIZE value=1000 Send this file: input name=userfile type=file input type=submit value=Send File /form test.php ?php echo Hello ? Actual result: -- Internal server error -- Edit this bug report at http://bugs.php.net/?id=40619edit=1
#40624 [Fbk-Opn]: pcrelib broken with php 4.4.5
ID: 40624 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it -Status: Feedback +Status: Open Bug Type: PCRE related Operating System: linux 2.4 i386 PHP Version: 4.4.5 New Comment: I compiled CVS 200702251930 but unfortunately the problem persists. Previous Comments: [2007-02-25 18:06:19] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip PCRE was upgraded again in 4.4.6rc1, could you please try that? [2007-02-25 03:04:19] test_junk at hotmail dot it Description: Recent update to php 4.4.5 broke PCRE regex support. The issue showed up upgrading to 4.4.5 installed as apache module (1.3.37 both on 2.4 and 2.6 kernels) and was resolved downgrading back to 4.4.4 I could trigger a segfault with several applications but I was not able to detect the chunk of php code responsible of it. Actual result: -- segfault... #0 match (eptr=0x0, ecode=0x0, offset_top=0, md=0x0, ims=0, eptrb=0x0, flags=0, rdepth=0) at /sources/php-4.4.5/ext/pcre/pcrelib/pcre_exec.c:517 Cannot access memory at address 0xbf7fff30 -- Edit this bug report at http://bugs.php.net/?id=40624edit=1
#40624 [Fbk-Opn]: pcrelib broken with php 4.4.5
ID: 40624 User updated by: test_junk at hotmail dot it Reported By: test_junk at hotmail dot it -Status: Feedback +Status: Open Bug Type: PCRE related Operating System: linux 2.4 i386 PHP Version: 4.4.5 New Comment: This snapshot is identical to the one I tested as far as I am seeing comparing the 2 archives, however which files did you modify? The only way I have to trigger this bug is recompiling the engine on a production server but since it breaks several websites (Drupal seems to be most affected) I can do it only at night so I can perform a limited number of attempts. Previous Comments: [2007-02-25 23:03:49] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip sorry, can you please try again a new snapshot? I made some changes a few hours ago and I don't know if they made their way in the snapshot you tested. If it still doesn't work, please post the entire backtrace (or link to an external page if it's too big). Also please try to isolate the code that triggers the bug. [2007-02-25 22:14:37] test_junk at hotmail dot it I compiled CVS 200702251930 but unfortunately the problem persists. [2007-02-25 18:06:19] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip PCRE was upgraded again in 4.4.6rc1, could you please try that? [2007-02-25 03:04:19] test_junk at hotmail dot it Description: Recent update to php 4.4.5 broke PCRE regex support. The issue showed up upgrading to 4.4.5 installed as apache module (1.3.37 both on 2.4 and 2.6 kernels) and was resolved downgrading back to 4.4.4 I could trigger a segfault with several applications but I was not able to detect the chunk of php code responsible of it. Actual result: -- segfault... #0 match (eptr=0x0, ecode=0x0, offset_top=0, md=0x0, ims=0, eptrb=0x0, flags=0, rdepth=0) at /sources/php-4.4.5/ext/pcre/pcrelib/pcre_exec.c:517 Cannot access memory at address 0xbf7fff30 -- Edit this bug report at http://bugs.php.net/?id=40624edit=1
#40619 [NEW]: php5/FastCGI crash
From: test_junk at hotmail dot it Operating system: Linux 2.6 PHP version: 4CVS-2007-02-24 (CVS) PHP Bug Type: Reproducible crash Bug description: php5/FastCGI crash Description: Upgrading to 5.2.1 (even the last CVS) caused the malfuncion of several applications. We noticed the crash of apparently every script handling POST data. The configuration in use was php-5.2.1 + FastCGI + Apache 1.3.37, downgrading back to 5.2.0 resolved the problem. Reproduce code: --- test.html: form enctype=multipart/form-data action=test.php method=post input type=hidden name=MAX_FILE_SIZE value=1000 Send this file: input name=userfile type=file input type=submit value=Send File /form test.php ?php echo Hello ? Actual result: -- Internal server error -- Edit bug report at http://bugs.php.net/?id=40619edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40619r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40619r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40619r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40619r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40619r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40619r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=40619r=needscript Try newer version:http://bugs.php.net/fix.php?id=40619r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40619r=support Expected behavior:http://bugs.php.net/fix.php?id=40619r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40619r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40619r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40619r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40619r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40619r=dst IIS Stability:http://bugs.php.net/fix.php?id=40619r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40619r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40619r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40619r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=40619r=mysqlcfg
#40624 [NEW]: pcrelib broken with php 4.4.5
From: test_junk at hotmail dot it Operating system: linux 2.4 i386 PHP version: 4.4.5 PHP Bug Type: PCRE related Bug description: pcrelib broken with php 4.4.5 Description: Recent update to php 4.4.5 broke PCRE regex support. The issue showed up upgrading to 4.4.5 installed as apache module (1.3.37 both on 2.4 and 2.6 kernels) and was resolved downgrading back to 4.4.4 I could trigger a segfault with several applications but I was not able to detect the chunk of php code responsible of it. Actual result: -- segfault... #0 match (eptr=0x0, ecode=0x0, offset_top=0, md=0x0, ims=0, eptrb=0x0, flags=0, rdepth=0) at /sources/php-4.4.5/ext/pcre/pcrelib/pcre_exec.c:517 Cannot access memory at address 0xbf7fff30 -- Edit bug report at http://bugs.php.net/?id=40624edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40624r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40624r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40624r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40624r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40624r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40624r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=40624r=needscript Try newer version:http://bugs.php.net/fix.php?id=40624r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40624r=support Expected behavior:http://bugs.php.net/fix.php?id=40624r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40624r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40624r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40624r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40624r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40624r=dst IIS Stability:http://bugs.php.net/fix.php?id=40624r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40624r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40624r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40624r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=40624r=mysqlcfg