Date: Thu, 4 Jun 2015 09:11:28 -0300 From: Felipe Pena <felipensp@...il.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Re: Re: Re: Re: CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() On Wed, Jun 3, 2015 at 9:58 PM, wen_guanxing <wen_guanxing@...ustech.com.cn> wrote: > Although PHP is not setting the match_limit_recursion correctly, this pattern revealed a bug in the zero length recursion detector.Running the pattern with pcretest, the process will also hang. > It's fair to say that both PHP and PCRE has made a mistake. > I will report this later to PHP later. AFAIK this is not a bug on PHP at all, this is a long time known issue on PCRE lib instead. Check the documentation for futher details: http://pcre.org/current/doc/html/pcre2stack.html -- Regards, Felipe Pena
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ