Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1026 to the following vulnerability: Integer overflow in the PCRE regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in Apple WebKit, as used in safari before 3.1.1, allows remote attackers to execute arbitrary code via a regular expression with large, nested repetition counts, which triggers a heap-based buffer overflow. Refences: http://www.securityfocus.com/archive/1/archive/1/490990/100/0/threaded http://www.zerodayinitiative.com/advisories/ZDI-08-022 http://support.apple.com/kb/HT1467 http://lists.apple.com/archives/security-announce/2008/Apr/msg00001.html http://www.securityfocus.com/bid/28815 http://www.securitytracker.com/id?1019870 http://marc.info/?l=dailydave&m=120670880726067&w=2
Relevant part of the Apple security advisory: WebKit CVE-ID: CVE-2008-1026 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller working with TippingPoint's Zero Day Initiative for reporting this issue.
Upstream fix: http://trac.webkit.org/projects/webkit/changeset/31388 This fix should be included in WebKit-1.0.0-0.8.svn31787, which is already in F8 and F9 and on the way to F7 as well.
This issue did not affect pcre packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Fedora 7 and 8. This issue was specific to WebKit's modified PCRE version.
WebKit-1.0.0-0.8.svn31787 or newer is now in all current Fedora versions.