CVE-2009-0689

Exploit

EPSS 41.05%
Published 01.07.2009 13:00:01
Last modified 09.04.2025 00:30:58
Source cret@cert.org
Teams watchlist Login
Open Login

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

Affected products Warnungen 0 Metrics 2 CWE 1 References 56

Data is provided by the National Vulnerability Database (NVD)

K-meleon Project ≫ K-meleon Version1.5.3

Mozilla ≫ Firefox Version3.0.1

Mozilla ≫ Firefox Version3.0.2

Mozilla ≫ Firefox Version3.0.3

Mozilla ≫ Firefox Version3.0.4

Mozilla ≫ Firefox Version3.0.5

Mozilla ≫ Firefox Version3.0.6

Mozilla ≫ Firefox Version3.0.7

Mozilla ≫ Firefox Version3.0.8

Mozilla ≫ Firefox Version3.0.9

Mozilla ≫ Firefox Version3.0.10

Mozilla ≫ Firefox Version3.0.11

Mozilla ≫ Firefox Version3.0.12

Mozilla ≫ Firefox Version3.0.13

Mozilla ≫ Firefox Version3.0.14

Mozilla ≫ Firefox Version3.5

Mozilla ≫ Firefox Version3.5.1

Mozilla ≫ Firefox Version3.5.2

Mozilla ≫ Firefox Version3.5.3

Mozilla ≫ Seamonkey Version1.1.8

Freebsd ≫ Freebsd Version6.4

Freebsd ≫ Freebsd Version6.4 Updaterelease

Freebsd ≫ Freebsd Version6.4 Updaterelease_p2

Freebsd ≫ Freebsd Version6.4 Updaterelease_p3

Freebsd ≫ Freebsd Version6.4 Updaterelease_p4

Freebsd ≫ Freebsd Version6.4 Updaterelease_p5

Freebsd ≫ Freebsd Version6.4 Updatestable

Freebsd ≫ Freebsd Version7.2

Freebsd ≫ Freebsd Version7.2 Updatepre-release

Freebsd ≫ Freebsd Version7.2 Updatestable

Netbsd ≫ Netbsd Version5.0

Openbsd ≫ Openbsd Version4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	41.05%	0.973

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Vendor Advisory

http://support.apple.com/kb/HT4077

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://www.mandriva.com/security/advisories?name=MDVSA-2009:330

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

Patch

http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

http://rhn.redhat.com/errata/RHSA-2014-0311.html

http://rhn.redhat.com/errata/RHSA-2014-0312.html

http://secunia.com/advisories/37431