CVE-2009-0689

01.07.2009, 13:00

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:P/I:P/A:P
certcc	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Vendor	Product	Version
k-meleon_project	k-meleon	1.5.3
mozilla	firefox	3.0.1
mozilla	firefox	3.0.2
mozilla	firefox	3.0.3
mozilla	firefox	3.0.4
mozilla	firefox	3.0.5
mozilla	firefox	3.0.6
mozilla	firefox	3.0.7
mozilla	firefox	3.0.8
mozilla	firefox	3.0.9
mozilla	firefox	3.0.10
mozilla	firefox	3.0.11
mozilla	firefox	3.0.12
mozilla	firefox	3.0.13
mozilla	firefox	3.0.14
mozilla	firefox	3.5
mozilla	firefox	3.5.1
mozilla	firefox	3.5.2
mozilla	firefox	3.5.3
mozilla	seamonkey	1.1.8
freebsd	freebsd	6.4
freebsd	freebsd	6.4:release
freebsd	freebsd	6.4:release_p2
freebsd	freebsd	6.4:release_p3
freebsd	freebsd	6.4:release_p4
freebsd	freebsd	6.4:release_p5
freebsd	freebsd	6.4:stable
freebsd	freebsd	7.2
freebsd	freebsd	7.2:pre-release
freebsd	freebsd	7.2:stable
netbsd	netbsd	5.0
openbsd	openbsd	4.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

mono

bullseye	6.8.0.105+dfsg-3.3~deb11u1 fixed
lenny	no-dsa
wheezy	no-dsa
bookworm	6.8.0.105+dfsg-3.3 fixed
sid	6.12.0.199+dfsg-2 fixed
trixie	6.12.0.199+dfsg-2 fixed

nspr

bullseye	2:4.29-1 fixed
lenny	no-dsa
wheezy	no-dsa
bookworm	2:4.35-1 fixed
sid	2:4.35-1.1 fixed
trixie	2:4.35-1.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

kde4libs

lucid	Fixed 4:3.5.10.dfsg.1-2.1ubuntu4 released
karmic	Fixed 4:4.3.2-0ubuntu7.2 released
jaunty	Fixed 4:4.2.2-0ubuntu5.4 released
intrepid	Fixed 4:4.1.4-0ubuntu1~intrepid1.5 released
hardy	ignored
dapper	dne

kdelibs

lucid	Fixed 4:3.5.10.dfsg.1-2.1ubuntu4 released
karmic	Fixed 4:3.5.10.dfsg.1-2ubuntu7.2 released
jaunty	Fixed 4:3.5.10.dfsg.1-1ubuntu8.4 released
intrepid	Fixed 4:3.5.10-0ubuntu6.4 released
hardy	Fixed 4:3.5.10-0ubuntu1~hardy1.5 released
dapper	ignored

thunderbird

lucid	not-affected
karmic	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.10.1 released
jaunty	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.04.1 released
intrepid	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.10.1 released
hardy	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.04.1 released
dapper	dne

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://rhn.redhat.com/errata/RHSA-2014-0311.html

http://rhn.redhat.com/errata/RHSA-2014-0312.html

http://secunia.com/advisories/37431

http://secunia.com/advisories/37682

http://secunia.com/advisories/37683

http://secunia.com/advisories/38066

http://secunia.com/advisories/38977

http://secunia.com/advisories/39001

http://secunia.com/secunia_research/2009-35/

http://securityreason.com/achievement_securityalert/63

http://securityreason.com/achievement_securityalert/69

http://securityreason.com/achievement_securityalert/71

http://securityreason.com/achievement_securityalert/72

http://securityreason.com/achievement_securityalert/73

http://securityreason.com/achievement_securityalert/75

http://securityreason.com/achievement_securityalert/76

http://securityreason.com/achievement_securityalert/77

http://securityreason.com/achievement_securityalert/78

http://securityreason.com/achievement_securityalert/81

http://securitytracker.com/id?1022478

http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1

http://support.apple.com/kb/HT4077

http://support.apple.com/kb/HT4225

http://www.mandriva.com/security/advisories?name=MDVSA-2009:294

http://www.mandriva.com/security/advisories?name=MDVSA-2009:330

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c

http://www.opera.com/support/kb/view/942/

http://www.redhat.com/support/errata/RHSA-2009-1601.html

http://www.redhat.com/support/errata/RHSA-2010-0153.html

http://www.redhat.com/support/errata/RHSA-2010-0154.html

http://www.securityfocus.com/archive/1/507977/100/0/threaded

http://www.securityfocus.com/archive/1/507979/100/0/threaded

http://www.securityfocus.com/archive/1/508417/100/0/threaded

http://www.securityfocus.com/archive/1/508423/100/0/threaded

http://www.securityfocus.com/bid/35510

http://www.ubuntu.com/usn/USN-915-1

http://www.vupen.com/english/advisories/2009/3297

http://www.vupen.com/english/advisories/2009/3299

http://www.vupen.com/english/advisories/2009/3334

http://www.vupen.com/english/advisories/2010/0094

http://www.vupen.com/english/advisories/2010/0648

http://www.vupen.com/english/advisories/2010/0650

https://bugzilla.mozilla.org/show_bug.cgi?id=516396

https://bugzilla.mozilla.org/show_bug.cgi?id=516862

https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://rhn.redhat.com/errata/RHSA-2014-0311.html

http://rhn.redhat.com/errata/RHSA-2014-0312.html

http://secunia.com/advisories/37431

http://secunia.com/advisories/37682

http://secunia.com/advisories/37683

http://secunia.com/advisories/38066

http://secunia.com/advisories/38977

http://secunia.com/advisories/39001

http://secunia.com/secunia_research/2009-35/

http://securityreason.com/achievement_securityalert/63

http://securityreason.com/achievement_securityalert/69

http://securityreason.com/achievement_securityalert/71

http://securityreason.com/achievement_securityalert/72

http://securityreason.com/achievement_securityalert/73

http://securityreason.com/achievement_securityalert/75

http://securityreason.com/achievement_securityalert/76

http://securityreason.com/achievement_securityalert/77

http://securityreason.com/achievement_securityalert/78

http://securityreason.com/achievement_securityalert/81

http://securitytracker.com/id?1022478

http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1

http://support.apple.com/kb/HT4077

http://support.apple.com/kb/HT4225

http://www.mandriva.com/security/advisories?name=MDVSA-2009:294

http://www.mandriva.com/security/advisories?name=MDVSA-2009:330

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c

http://www.opera.com/support/kb/view/942/

http://www.redhat.com/support/errata/RHSA-2009-1601.html

http://www.redhat.com/support/errata/RHSA-2010-0153.html

http://www.redhat.com/support/errata/RHSA-2010-0154.html

http://www.securityfocus.com/archive/1/507977/100/0/threaded

http://www.securityfocus.com/archive/1/507979/100/0/threaded

http://www.securityfocus.com/archive/1/508417/100/0/threaded

http://www.securityfocus.com/archive/1/508423/100/0/threaded

http://www.securityfocus.com/bid/35510

http://www.ubuntu.com/usn/USN-915-1

http://www.vupen.com/english/advisories/2009/3297

http://www.vupen.com/english/advisories/2009/3299

http://www.vupen.com/english/advisories/2009/3334

http://www.vupen.com/english/advisories/2010/0094

http://www.vupen.com/english/advisories/2010/0648

http://www.vupen.com/english/advisories/2010/0650

https://bugzilla.mozilla.org/show_bug.cgi?id=516396

https://bugzilla.mozilla.org/show_bug.cgi?id=516862

https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541