Could a CVE be assigned for this flaw? PHP 5.3.7 changed how the
function worked, and as a result it could allow for remote arbitrary
code execution if certain specific conditions are met (the blog post
referenced below has a good writeup of the flaw).
It looks like this is the fix:
Vincent Danen / Red Hat Security Response Team