Bug 443780 - (CVE-2008-1026) CVE-2008-1026 WebKit: Integer overflow in the PCRE regular expression compiler
CVE-2008-1026 WebKit: Integer overflow in the PCRE regular expression compiler
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-04-23 05:22 EDT by Tomas Hoger
Modified: 2016-03-04 07:52 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-05 12:27:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-23 05:22:04 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1026 to the following vulnerability:

Integer overflow in the PCRE regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in Apple WebKit, as used in safari before 3.1.1, allows remote attackers to execute arbitrary code via a regular expression with large, nested repetition counts, which triggers a heap-based buffer overflow.

Comment 1 Tomas Hoger 2008-04-23 05:23:23 EDT
Relevant part of the Apple security advisory:

CVE-ID:  CVE-2008-1026
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact:  Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in WebKit's handling of
JavaScript regular expressions. The issue may be triggered via
JavaScript when processing regular expressions with large, nested
repetition counts. This may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue by performing additional validation of JavaScript regular
expressions. Credit to Charlie Miller working with TippingPoint's
Zero Day Initiative for reporting this issue.
Comment 2 Tomas Hoger 2008-04-23 05:32:21 EDT
Upstream fix: http://trac.webkit.org/projects/webkit/changeset/31388

This fix should be included in WebKit-1.0.0-0.8.svn31787, which is already in F8
and F9 and on the way to F7 as well.
Comment 3 Tomas Hoger 2008-04-23 07:37:42 EDT
This issue did not affect pcre packages as shipped in Red Hat Enterprise Linux
2.1, 3, 4, and 5, and Fedora 7 and 8.  This issue was specific to WebKit's
modified PCRE version.
Comment 4 Tomas Hoger 2008-05-05 12:27:47 EDT
WebKit-1.0.0-0.8.svn31787 or newer is now in all current Fedora versions.

Note You need to log in before you can comment on or make changes to this bug.