The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1425394]
Created mingw-glib2 tracking bugs for this issue:
Affects: epel-7 [bug 1425392]
Affects: fedora-all [bug 1425396]
Created mingw-pcre tracking bugs for this issue:
Affects: epel-7 [bug 1425393]
Affects: fedora-all [bug 1425391]
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1425395]
virt-p2v (an ISO that we ship in RHEL 7) contains an embedded
copy of pcre.
However it does NOT call pcre_jit_compile explicitly. Do you know
if this function can be called implicitly (eg from pcre_compile,
which virt-p2v does call)?
PCRE does not use JIT by default. An application must request JIT explicitly by calling pcre_study() (pcre16_study() or pcre32_study()) with some of PCRE_STUDY_JIT_* values in the second parameter.
pcre-8.40-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This issue affects the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 6. This issue does not affect the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 7.
This issue has been addressed in the following products:
Red Hat JBoss Core Services
Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486