Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3710 to the following vulnerability: Name: CVE-2010-3710 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710 Assigned: 20101001 Reference: CONFIRM: http://bugs.php.net/bug.php?id=52929 Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.
Upstream fix is here: http://svn.php.net/viewvc/?view=revision&revision=303779 filter_var() was introduced in PHP 5.2.0 so this does not affect versions of PHP prior to that.
Created php tracking bugs for this issue Affects: fedora-all [bug 646688]
This was corrected in upstream 5.3.4.
What happens here is stack overflow caused by deep recursion in the PCRE regular expression engine, when long input is compared to a "valid email address" regular expression. This regular expression was changed in between PHP versions 5.3.2 and 5.3.3: http://svn.php.net/viewvc?view=revision&revision=297350 http://bugs.php.net/49576 This issue does not occur with the previously used regular expression. Hence only php53 packages introduced in Red Hat Enterprise Linux 5.6 were affected.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html
Statement: This issue did not affect the version of php packages as shipped with Red Hat Enterprise Linux 4, 5 or 6. It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.