Comment 6 for bug 1025670

Revision history for this message
Tim Starling (tstarling) wrote :

I have confirmed it in Lucid and Precise. It's possible that it's fixed already in Quantal. The message you quote is the expected response when the bug has been fixed (or if the codepoint is more than 7 hexadecimal digits).

Ubuntu's PHP packages link to libpcre3, and some PHP applications (for example the one I work on) allow web users to specify PCRE regex patterns. So it's a DoS vulnerability, and when used with Apache with a threaded MPM, perhaps it could be used to leak private data from unrelated web requests. If the patch is backported to Lucid and Precise, then we'll be able to keep using PCRE from Ubuntu, we won't have to create our own packages.