Vulnerability CVE-2009-0689


Published: 2009-07-01   Modified: 2012-02-13

Description:
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

See advisories in our WLB2 database:
Topic
Author
Date
High
Multiple Vendors libc/gdtoa printf(3) Array Overrun
Maksymilian Arci...
27.06.2009
High
K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
24.11.2009
High
KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
24.11.2009
High
Opera 10.01 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
24.11.2009
High
SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
20.11.2009
High
Flock 2.5.2 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
14.12.2009
High
Camino 1.6.10 Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
14.12.2009
High
Sunbird 0.9 Array Overrun (code execution)
Maksymilian Arci...
14.12.2009
High
Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution)
Maksymilian Arci...
14.12.2009
High
J 6.02.023 Array Overrun (code execution)
Maksymilian Arci...
08.01.2010
High
Matlab R2009b Array Overrun (code execution)
Maksymilian Arci...
08.01.2010
High
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
Maksymilian Arci...
08.01.2010

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Freebsd
Product: Freebsd 
Version: 7.2; 6.4;
Vendor: Netbsd
Product: Netbsd 
Version: 5.0;
Vendor: Openbsd
Product: Openbsd 
Version: 4.5;
Vendor: Mozilla
Product: Firefox 
Version:
3.5.3
3.5.2
3.5.1
3.5
3.0.9
3.0.8
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
3.0.2
3.0.14
3.0.13
3.0.12
3.0.11
3.0.10
3.0.1
Product: Seamonkey 
Version: 1.1.8;
Vendor: K-meleon project
Product: K-meleon 
Version: 1.5.3;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://rhn.redhat.com/errata/RHSA-2014-0311.html
http://rhn.redhat.com/errata/RHSA-2014-0312.html
http://securityreason.com/achievement_securityalert/63
http://securityreason.com/achievement_securityalert/69
http://securityreason.com/achievement_securityalert/71
http://securityreason.com/achievement_securityalert/72
http://securityreason.com/achievement_securityalert/73
http://securityreason.com/achievement_securityalert/75
http://securityreason.com/achievement_securityalert/76
http://securityreason.com/achievement_securityalert/77
http://securityreason.com/achievement_securityalert/78
http://securityreason.com/achievement_securityalert/81
http://securitytracker.com/id?1022478
http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1
http://support.apple.com/kb/HT4077
http://support.apple.com/kb/HT4225
http://www.mandriva.com/security/advisories?name=MDVSA-2009:294
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.opera.com/support/kb/view/942/
http://www.redhat.com/support/errata/RHSA-2009-1601.html
http://www.redhat.com/support/errata/RHSA-2010-0153.html
http://www.redhat.com/support/errata/RHSA-2010-0154.html
http://www.securityfocus.com/archive/1/507977/100/0/threaded
http://www.securityfocus.com/archive/1/507979/100/0/threaded
http://www.securityfocus.com/archive/1/508417/100/0/threaded
http://www.securityfocus.com/archive/1/508423/100/0/threaded
http://www.securityfocus.com/bid/35510
http://www.ubuntu.com/usn/USN-915-1
http://www.vupen.com/english/advisories/2009/3297
http://www.vupen.com/english/advisories/2009/3299
http://www.vupen.com/english/advisories/2009/3334
http://www.vupen.com/english/advisories/2010/0094
http://www.vupen.com/english/advisories/2010/0648
http://www.vupen.com/english/advisories/2010/0650
https://bugzilla.mozilla.org/show_bug.cgi?id=516396
https://bugzilla.mozilla.org/show_bug.cgi?id=516862
https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541

Related CVE
CVE-2006-4253
Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by red...
CVE-2006-1942
Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-i...
CVE-2005-4134
Mozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not...

Copyright 2019, cxsecurity.com

 

Back to Top