CVE-2009-0689
published 2009-07-01CVE-2009-0689: Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in…
PriorityP351medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
28.17%
97.9th percentile
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mono | < mono 4.2.1.102+dfsg2-4 (bookworm) | mono 4.2.1.102+dfsg2-4 (bookworm) |
| debian | nspr | < mono 4.2.1.102+dfsg2-4 (bookworm) | mono 4.2.1.102+dfsg2-4 (bookworm) |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| k-meleon_project | k-meleon | — | — |
| mono | mono | >= 0 < 4.2.1.102+dfsg2-4 | 4.2.1.102+dfsg2-4 |
| mono | mono | >= 0 < 4.2.1.102+dfsg2-4 | 4.2.1.102+dfsg2-4 |
| mono | mono | >= 0 < 4.2.1.102+dfsg2-4 | 4.2.1.102+dfsg2-4 |
| mono | mono | >= 0 < 4.2.1.102+dfsg2-4 | 4.2.1.102+dfsg2-4 |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2010-03-18·CVSS 6.8
CVE-2009-0689 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird vulnerabilities
Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-0689, CVE-2009-2463, CVE-2009-3075)
Josh Soref discovered that the BinHex decoder used in Thunderbird contained
a flaw. If a user were tricked into viewing malicious content, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-3072)
It was discovered that Thunderbird did not properly manage memory when
using XUL tree el
Ubuntu
KDE vulnerabilities
vendor_ubuntu·2009-12-11·CVSS 6.8
CVE-2009-0689 [MEDIUM] KDE vulnerabilities
Title: KDE vulnerabilities
Summary: KDE vulnerabilities
A buffer overflow was found in the KDE libraries when converting a string
to a floating point number. If a user or application linked against kdelibs
were tricked into processing crafted input, an attacker could cause a
denial of service (via application crash) or possibly execute arbitrary
code with the privileges of the user invoking the program. (CVE-2009-0689)
It was discovered that the KDE libraries could use KHTML to process an
unknown MIME type. If a user or application linked against kdelibs were
tricked into opening a crafted file, an attacker could potentially trigger
XMLHTTPRequests to remote sites.
Instructions: After a standard system upgrade you need to restart your session to effect
the necessary changes.
Red Hat
array index error in dtoa implementation of many products
vendor_redhat·2009-11-20·CVSS 6.8
CVE-2009-0689 [MEDIUM] array index error in dtoa implementation of many products
array index error in dtoa implementation of many products
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
Package: js (OpenShift Enterprise 1) - Affected
Package
Red Hat
firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
vendor_redhat·2009-10-27·CVSS 6.8
CVE-2009-1563 [MEDIUM] CWE-122 firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
This CVE entry is a duplicate of CVE-2009-0689 and has been rejected; please refer to that CVE entry for additional product fixes and information.
Debian
CVE-2009-0689: mono - Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the...
vendor_debian·2009·CVSS 6.8
CVE-2009-0689 [MEDIUM] CVE-2009-0689: mono - Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the...
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
Scope: local
bookworm: resolved (fixed in 4.2.1.102+dfsg2-4)
bullseye: resolved (fixed in 4.2.1.102+dfsg2-4)
forky:
GHSA
GHSA-99jp-rppc-jgcm: Array index error in the (1) dtoa implementation in dtoa
ghsa_unreviewed·2022-05-02
CVE-2009-0689 [MEDIUM] CWE-119 GHSA-99jp-rppc-jgcm: Array index error in the (1) dtoa implementation in dtoa
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
OSV
CVE-2009-0689: Array index error in the (1) dtoa implementation in dtoa
osv·2009-07-01·CVSS 6.8
CVE-2009-0689 [MEDIUM] CVE-2009-0689: Array index error in the (1) dtoa implementation in dtoa
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
No detection rules found.
Exploit-DB
MATLAB R2009b - 'dtoa' Implementation Memory Corruption
exploitdb·2010-01-08
CVE-2009-0689 MATLAB R2009b - 'dtoa' Implementation Memory Corruption
MATLAB R2009b - 'dtoa' Implementation Memory Corruption
---
source: https://www.securityfocus.com/bid/37688/info
MATLAB is prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.
Attackers may exploit this issue to execute arbitrary code within the context of affected applications.
MATLAB R2009b is affected; other versions may also be vulnerable.
cxib=0.
Exploit-DB
Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption
exploitdb·2010-01-08
CVE-2009-0689 Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption
Apple Mac OSX 10.x - 'libc/strtod(3)' Memory Corruption
---
// source: https://www.securityfocus.com/bid/37687/info
Mac OS X is prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.
Attackers may exploit this issue to execute arbitrary code within the context of affected applications.
Mac OS X 10.5 and 10.6 are affected; other versions may also be vulnerable.
#include
#include
int main ()
{
char number[] = "0.1111111111...11", *e;
double weed = strtod(number, &e);
printf("grams = %lf\n", weed);
return 0;
}
Exploit-DB
Sunbird 0.9 - Array Overrun Code Execution
exploitdb·2009-12-11·CVSS 6.8
CVE-2009-0689 [MEDIUM] Sunbird 0.9 - Array Overrun Code Execution
Sunbird 0.9 - Array Overrun Code Execution
---
full disclosure: http://seclists.org/fulldisclosure/2009/Dec/253
[ Sunbird 0.9 Array Overrun (code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-199
Risk: High
Remote: Yes
Affected Software:
- Sunbird 0.9
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/77
--- 0.Description ---
Mozilla Sunbird is a cross-platform calendar application, built upon
Mozilla Toolkit. Our goal is to provide you with a full-featured and
easy to use calendar application that you can use around the world.
--- 1. Sunbird 0.9 Remote Array Overrun (Arbitrary code execution) ---
The main problem ex
Exploit-DB
KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution
exploitdb·2009-11-20
CVE-2009-0689 KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution
KDE 4.3.3 - KDELibs 'dtoa()' Remote Code Execution
---
source: https://www.securityfocus.com/bid/37080/info
KDE is prone to a remote code-execution vulnerability that affects KDELibs.
Successful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.
NOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
This issue affects KDE KDELibs 4.3.3; other versions may also be affected.
var a=0.;
Exploit-DB
Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution
exploitdb·2009-11-20
CVE-2009-0689 Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution
Opera Web Browser 10.01 - 'dtoa()' Remote Code Execution
---
source: https://www.securityfocus.com/bid/37078/info
Opera Web Browser is prone to a remote code-execution vulnerability.
Successful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.
NOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
This issue affects Opera 10.01; other versions may also be affected.
var a=0.;
Exploit-DB
KDE KDELibs 4.3.3 - Remote Array Overrun
exploitdb·2009-11-19·CVSS 6.8
CVE-2009-0689 [MEDIUM] KDE KDELibs 4.3.3 - Remote Array Overrun
KDE KDELibs 4.3.3 - Remote Array Overrun
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - KDELibs 4.3.3
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/74
- --- 0.Description ---
KDELibs is a collection of libraries built on top of Qt that provides
frameworks and functionality for developers of KDE-compatible software.
The KDELibs libraries are licensed under LGPL.
- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dto
Exploit-DB
K-Meleon 1.5.3 - Remote Array Overrun
exploitdb·2009-11-19·CVSS 6.8
CVE-2009-0689 [MEDIUM] K-Meleon 1.5.3 - Remote Array Overrun
K-Meleon 1.5.3 - Remote Array Overrun
---
From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - K-Meleon 1.5.3
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/72
- --- 0.Description ---
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also used
by Firefox. K-Meleon is free, open source software released under the
GNU General Public Li
Exploit-DB
Opera 10.01 - Remote Array Overrun
exploitdb·2009-11-19·CVSS 6.8
CVE-2009-0689 [MEDIUM] Opera 10.01 - Remote Array Overrun
Opera 10.01 - Remote Array Overrun
---
From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/223
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - Opera 10.01
- - Opera 10.10 Beta
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/73
- --- 0.Description ---
Opera is a Web browser and Internet suite developed by the Opera
Software company. The browser handles common Internet-related tasks such
as displaying Web sites, sending and receiving e-mail messages, managing
contacts, IRC online chatting, downloading files via BitT
Exploit-DB
SeaMonkey 1.1.8 - Remote Array Overrun
exploitdb·2009-11-19·CVSS 6.8
CVE-2009-0689 [MEDIUM] SeaMonkey 1.1.8 - Remote Array Overrun
SeaMonkey 1.1.8 - Remote Array Overrun
---
From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/221
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - SeaMonkey 1.1.18
Fixed in:
- - SeaMonkey 2.0
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/71
- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey
all-in-one internet application suite (see below). Such a software suite
was previously made popular by Netscape and Mozilla, and t
Exploit-DB
Mozilla Firefox 3.5.3 - Floating Point Conversion Heap Overflow
exploitdb·2009-10-27
CVE-2009-0689 Mozilla Firefox 3.5.3 - Floating Point Conversion Heap Overflow
Mozilla Firefox 3.5.3 - Floating Point Conversion Heap Overflow
---
source: https://www.securityfocus.com/bid/36851/info
Mozilla Firefox is prone to a heap-based buffer-overflow vulnerability.
An attacker can exploit this issue by tricking a victim into visiting a malicious webpage to execute arbitrary code and to cause denial-of-service conditions.
NOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities).
NOTE 2: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
var a=0.;
Exploit-DB
BSD (Multiple Distributions) - 'gdtoa/misc.c' Memory Corruption
exploitdb·2009-05-26
CVE-2009-0689 BSD (Multiple Distributions) - 'gdtoa/misc.c' Memory Corruption
BSD (Multiple Distributions) - 'gdtoa/misc.c' Memory Corruption
---
source: https://www.securityfocus.com/bid/35510/info
Multiple BSD distributions are prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.
Attackers may exploit this issue to execute arbitrary code within the context of affected applications.
The following are vulnerable:
OpenBSD 4.5
NetBSD 5.0
FreeBSD 6.4 and 7.2
Other software based on the BSD code base may also be affected.
The following proof-of-concept shell commands are available:
printf %1.262159f 1.1
printf %11.2109999999f
printf %11.2009999999f
printf %11.2009999999f
The following proof-of-concept Perl script is available:
#!/usr/local/bin/perl
printf "%0.4194310f", 0x0.0x41414141;
Th
Bugzilla
mono: Converting specially crafted string to float causes crash and possible code execution
bugzilla·2015-12-22·CVSS 6.8
CVE-2009-0689 [MEDIUM] mono: Converting specially crafted string to float causes crash and possible code execution
mono: Converting specially crafted string to float causes crash and possible code execution
It was found that float-parsing code used in Mono before 4.2 is derived from code vulnerable to CVE-2009-0689. The issue concerns the `freelist` array, which is a global array of 16 pointers to `Bigint`. This array is part of a memory allocation and reuse system which attempts to reduce the number of `malloc` and `free` calls. The system allocates blocks in power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each size in a linked list rooted at the corresponding cell of `freelist`. The `Balloc` and `Bfree` functions which operate this system fail to check if the size parameter `k` is within the allocated 0..15 range. As a result, a sufficiently large allocation will have k=16 and
Bugzilla
php: heap overflow in floating point parsing
bugzilla·2014-01-24·CVSS 6.8
CVE-2009-0689 [MEDIUM] php: heap overflow in floating point parsing
php: heap overflow in floating point parsing
PHP uses a strtod() implementation using code written by David M. Gay. This code was previously identified to contain a flaw leading to a heap based buffer overflow when overly long string representing a floating point number is parsed to a number. The problem was assigned CVE ids CVE-2009-0689 (bug 539784) and CVE-2013-4164 (bug 1033460) and was fixed in various other projects re-using this affected code.
The problem was already corrected in PHP before the security issue was identified and CVE-2009-0689 assigned, via the following upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=37da90248deb2188e8ee50e4753ad6340679b425
The fix was included in PHP 5.2.2. This wasn't identified as security fix, or mentioned in the changelog f
HackerOne
Ruby: Heap Overflow in Floating Point Parsing
hackerone·2013-11-22·CVSS 6.8
[MEDIUM] Ruby: Heap Overflow in Floating Point Parsing
Ruby: Heap Overflow in Floating Point Parsing
Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
Vulnerable code looks something like this:
`untrusted_data.to_f`
But any code that produces floating point values from external data is vulnerable, such as this:
`JSON.parse untrusted_data`
Note that this bug is similar to CVE-2009-0689.
All users running an affected release should upgrade to the FIXED versions of Ruby.
#Affected versions
- All Ruby 1.8 versions
- All Ruby 1.9 versions prior t
Bugzilla
CVE-2013-4164 ruby: heap overflow in floating point parsing
bugzilla·2013-11-22·CVSS 6.8
CVE-2013-4164 [MEDIUM] CVE-2013-4164 ruby: heap overflow in floating point parsing
CVE-2013-4164 ruby: heap overflow in floating point parsing
Ruby Programming Language Project reports:
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
Heap Overflow in Floating Point Parsing (CVE-2013-4164)
There is an overflow in floating point number parsing in Ruby. This
vulnerability has been assigned the CVE identifier CVE-2013-4164.
Details
Any time a string is converted to a floating point value, a specially
crafted string can cause a heap overflow. This can lead to a denial of
service attack via segmentation faults and possibly arbitrary code execution.
Any program that converts input of unknown origin to floating point values
(especially common when accepting JSON) are vulnerable.
Vulnerable code looks something like this:
Bugzilla
CVE-2009-0689 array index error in dtoa implementation of many products
bugzilla·2009-11-21·CVSS 6.8
CVE-2009-0689 [MEDIUM] CVE-2009-0689 array index error in dtoa implementation of many products
CVE-2009-0689 array index error in dtoa implementation of many products
It was reported [1] that KDE's kdelibs 4.3.3, and possibly earlier versions, suffers from a flaw in its dtoa implementation. A heap-based buffer overflow in the string to floating point number conversion routines could allow an attacker to craft some malicious JavaScript code containing a very long string to be converted to a floating point number. This could result in improper memory allocation and the execution of an arbitrary memory location, which could be leveraged to run arbitrary code on the victim's computer.
This same flaw was originally reported against OpenBSD and NetBSD [2], and is similar to the Mozilla flaw CVE-2009-1563. A patch to correct this issue was commited to kdelibs/kjs/dtoa.cpp today [3].
[1]
Bugzilla
CVE-2009-1563 firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
bugzilla·2009-10-21·CVSS 6.8
CVE-2009-1563 [MEDIUM] CVE-2009-1563 firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
CVE-2009-1563 firefox: (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion
Security researcher Alin Rad Pop of Secunia Research reported a heap-based
buffer overflow in Mozilla's string to floating point number conversion
routines. Using this vulnerability an attacker could craft some malicious
JavaScript code containing a very long string to be converted to a floating
point number which would result in improper memory allocation and the
execution of an arbitrary memory location. This vulnerability could thus be
leveraged by the attacker to run arbitrary code on a victim's computer.
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:1530 https://rhn.redhat.com/errata/RHSA
CWE
Access of Memory Location After End of Buffer
mitre_cwe
CWE-788 Access of Memory Location After End of Buffer
CWE-788: Access of Memory Location After End of Buffer
The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory. For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffer's position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Scope: Integrity, Availability. Impact: Modify Memory, DoS:
CWE
Improper Restriction of Operations within the Bounds of a Memory Buffer
mitre_cwe
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Background: Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability. Impact: Execute Unauthorized Code or Commands, Modify Memory. If the memory accessible by the attacker can be effec
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.hhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0311.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0312.htmlhttp://secunia.com/advisories/37431http://secunia.com/advisories/37682http://secunia.com/advisories/37683http://secunia.com/advisories/38066http://secunia.com/advisories/38977http://secunia.com/advisories/39001http://secunia.com/secunia_research/2009-35/http://securityreason.com/achievement_securityalert/63http://securityreason.com/achievement_securityalert/69http://securityreason.com/achievement_securityalert/71http://securityreason.com/achievement_securityalert/72http://securityreason.com/achievement_securityalert/73http://securityreason.com/achievement_securityalert/75http://securityreason.com/achievement_securityalert/76http://securityreason.com/achievement_securityalert/77http://securityreason.com/achievement_securityalert/78http://securityreason.com/achievement_securityalert/81http://securitytracker.com/id?1022478http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1http://support.apple.com/kb/HT4077http://support.apple.com/kb/HT4225http://www.mandriva.com/security/advisories?name=MDVSA-2009:294http://www.mandriva.com/security/advisories?name=MDVSA-2009:330http://www.mozilla.org/security/announce/2009/mfsa2009-59.htmlhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.chttp://www.opera.com/support/kb/view/942/http://www.redhat.com/support/errata/RHSA-2009-1601.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0154.htmlhttp://www.securityfocus.com/archive/1/507977/100/0/threadedhttp://www.securityfocus.com/archive/1/507979/100/0/threadedhttp://www.securityfocus.com/archive/1/508417/100/0/threadedhttp://www.securityfocus.com/archive/1/508423/100/0/threadedhttp://www.securityfocus.com/bid/35510http://www.ubuntu.com/usn/USN-915-1http://www.vupen.com/english/advisories/2009/3297http://www.vupen.com/english/advisories/2009/3299http://www.vupen.com/english/advisories/2009/3334http://www.vupen.com/english/advisories/2010/0094http://www.vupen.com/english/advisories/2010/0648http://www.vupen.com/english/advisories/2010/0650https://bugzilla.mozilla.org/show_bug.cgi?id=516396https://bugzilla.mozilla.org/show_bug.cgi?id=516862https://lists.debian.org/debian-lts-announce/2018/11/msg00001.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.hhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0311.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0312.htmlhttp://secunia.com/advisories/37431http://secunia.com/advisories/37682http://secunia.com/advisories/37683http://secunia.com/advisories/38066http://secunia.com/advisories/38977http://secunia.com/advisories/39001http://secunia.com/secunia_research/2009-35/http://securityreason.com/achievement_securityalert/63http://securityreason.com/achievement_securityalert/69http://securityreason.com/achievement_securityalert/71http://securityreason.com/achievement_securityalert/72http://securityreason.com/achievement_securityalert/73http://securityreason.com/achievement_securityalert/75http://securityreason.com/achievement_securityalert/76http://securityreason.com/achievement_securityalert/77http://securityreason.com/achievement_securityalert/78http://securityreason.com/achievement_securityalert/81http://securitytracker.com/id?1022478http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1http://support.apple.com/kb/HT4077http://support.apple.com/kb/HT4225http://www.mandriva.com/security/advisories?name=MDVSA-2009:294http://www.mandriva.com/security/advisories?name=MDVSA-2009:330http://www.mozilla.org/security/announce/2009/mfsa2009-59.htmlhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.chttp://www.opera.com/support/kb/view/942/http://www.redhat.com/support/errata/RHSA-2009-1601.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0153.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0154.htmlhttp://www.securityfocus.com/archive/1/507977/100/0/threadedhttp://www.securityfocus.com/archive/1/507979/100/0/threadedhttp://www.securityfocus.com/archive/1/508417/100/0/threadedhttp://www.securityfocus.com/archive/1/508423/100/0/threadedhttp://www.securityfocus.com/bid/35510http://www.ubuntu.com/usn/USN-915-1http://www.vupen.com/english/advisories/2009/3297http://www.vupen.com/english/advisories/2009/3299http://www.vupen.com/english/advisories/2009/3334http://www.vupen.com/english/advisories/2010/0094http://www.vupen.com/english/advisories/2010/0648
+ 6 more references
2009-07-01
Published