The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression. Upstream patch: https://vcs.pcre.org/pcre?view=revision&revision=1680 Upstream bug: https://bugs.exim.org/show_bug.cgi?id=2035
Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1425394] Created mingw-glib2 tracking bugs for this issue: Affects: epel-7 [bug 1425392] Affects: fedora-all [bug 1425396] Created mingw-pcre tracking bugs for this issue: Affects: epel-7 [bug 1425393] Affects: fedora-all [bug 1425391] Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1425395]
virt-p2v (an ISO that we ship in RHEL 7) contains an embedded copy of pcre. However it does NOT call pcre_jit_compile explicitly. Do you know if this function can be called implicitly (eg from pcre_compile, which virt-p2v does call)?
PCRE does not use JIT by default. An application must request JIT explicitly by calling pcre_study() (pcre16_study() or pcre32_study()) with some of PCRE_STUDY_JIT_* values in the second parameter.
pcre-8.40-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This issue affects the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 6. This issue does not affect the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 7.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486