Bug 443780 (CVE-2008-1026)

Summary: CVE-2008-1026 WebKit: Integer overflow in the PCRE regular expression compiler
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: peter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1026
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-05 16:27:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-23 09:22:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1026 to the following vulnerability:

Integer overflow in the PCRE regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in Apple WebKit, as used in safari before 3.1.1, allows remote attackers to execute arbitrary code via a regular expression with large, nested repetition counts, which triggers a heap-based buffer overflow.

Refences:
http://www.securityfocus.com/archive/1/archive/1/490990/100/0/threaded
http://www.zerodayinitiative.com/advisories/ZDI-08-022
http://support.apple.com/kb/HT1467
http://lists.apple.com/archives/security-announce/2008/Apr/msg00001.html
http://www.securityfocus.com/bid/28815
http://www.securitytracker.com/id?1019870
http://marc.info/?l=dailydave&m=120670880726067&w=2
Comment 1 Tomas Hoger 2008-04-23 09:23:23 UTC 
Relevant part of the Apple security advisory:

WebKit
CVE-ID:  CVE-2008-1026
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact:  Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in WebKit's handling of
JavaScript regular expressions. The issue may be triggered via
JavaScript when processing regular expressions with large, nested
repetition counts. This may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of JavaScript regular
expressions. Credit to Charlie Miller working with TippingPoint's
Zero Day Initiative for reporting this issue.
Comment 2 Tomas Hoger 2008-04-23 09:32:21 UTC 
Upstream fix: http://trac.webkit.org/projects/webkit/changeset/31388

This fix should be included in WebKit-1.0.0-0.8.svn31787, which is already in F8
and F9 and on the way to F7 as well.
Comment 3 Tomas Hoger 2008-04-23 11:37:42 UTC 
This issue did not affect pcre packages as shipped in Red Hat Enterprise Linux
2.1, 3, 4, and 5, and Fedora 7 and 8.  This issue was specific to WebKit's
modified PCRE version.
Comment 4 Tomas Hoger 2008-05-05 16:27:47 UTC 
WebKit-1.0.0-0.8.svn31787 or newer is now in all current Fedora versions.