+++ This bug was initially created as a clone of Bug #166330 +++ PCRE 6.2 was released recently which included a fix for a heap buffer overflow. PCRE is used by things such as Apache but only for configuration (therefore making an exploit low severity). A number of packages also include PCRE code internally, I'll be adding separate bugs for those that contain PCRE and do not use system PCRE later. Changelog states: 1. There was no test for integer overflow of quantifier values. A construction such as {1111111111111111} would give undefined results. What is worse, if a minimum quantifier for a parenthesized subpattern overflowed and became negative, the calculation of the memory size went wrong. This could have led to memory overwriting. A minimal diff of the flaw is attached, the full 6.2 to 6.1 diff contains other fixes that might be worth incorporating and a test for this flaw. Although PHP in RHEL3 and RHEL4 definately uses the system pcre library, the one in RHEL2.1 seemed to use the internal version. This needs confirming and determining if there is a security context from this flaw.
unixlabs
It does affect the pcre library bundled in the RHEL2.1 php, but only in a manner such that the script author can crash the interpreter (untrusted user input should not be passed as a regex); downgrading to normal severity.
This problem is resolved in the errata updates for Red Hat Enterprise Linux 3 and 4. Red Hat does not currently plan to provide a resolution for this in a Red Hat Enterprise Linux 2.1 update for currently deployed systems.
May I inquire as to why you don't fix an issue that is an obvious DOS and for which I assume patches are available?
Due to comment #2, that untrusted data should never be passed to a regexp - otherwise only the script author can cause their PHP script to cras.