PHP through is vulnerable to an out of bounds access in the php_pcre.c:php_pcre_replace_impl() function. An attacker could exploit this by calling preg_replace() with crafted arguments. Upstream Bug: https://bugs.php.net/bug.php?id=74604
Created php tracking bugs for this issue: Affects: fedora-all [bug 1611891]
Upstream does not consider this as a security issue, per https://wiki.php.net/security as it rely on bas configuration (no memory limit)
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-9118