Bug 539784 (CVE-2009-0689)

Summary: CVE-2009-0689 array index error in dtoa implementation of many products
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bleanhar, bressers, ccoleman, desktop-bugs, dmcphers, jdetiber, jialiu, jkeck, jokerman, jreznik, kreilly, kseifried, lmeyer, mmccomas, mmcgrath, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0689
Whiteboard: impact=critical,public=20091120,reported=20091120,source=internet,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,openshift-enterprise-1/js=affected,openshift-enterprise-2/js=affected,openshift-1/mongodb=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-20 13:22:44 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 539714, 539715, 539716, 539717, 539804, 539805, 539806, 833919, 1067646, 1067647, 1067657, 1067658, 1067659, 1117439, 1117440    
Bug Blocks: 1077839    

Description Vincent Danen 2009-11-20 21:50:07 EST
It was reported [1] that KDE's kdelibs 4.3.3, and possibly earlier versions, suffers from a flaw in its dtoa implementation.  A heap-based buffer overflow in the string to floating point number conversion routines could allow an attacker to craft some malicious JavaScript code containing a very long string to be converted to a floating point number.  This could result in improper memory allocation and the execution of an arbitrary memory location, which could be leveraged to run arbitrary code on the victim's computer.

This same flaw was originally reported against OpenBSD and NetBSD [2], and is similar to the Mozilla flaw CVE-2009-1563.  A patch to correct this issue was commited to kdelibs/kjs/dtoa.cpp today [3].

[1] http://marc.info/?l=full-disclosure&m=125867830114502&w=2
[2] http://securityreason.com/achievement_securityalert/63
[3] http://lists.kde.org/?l=kde-commits&m=125874573511598&w=2
    http://websvn.kde.org/?view=revision&revision=1052100
Comment 8 errata-xmlrpc 2009-11-24 18:23:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1601 https://rhn.redhat.com/errata/RHSA-2009-1601.html
Comment 9 Vincent Danen 2010-12-20 13:22:44 EST
An updated MITRE description for this is:

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. 


Note that CVE-2009-1563 was made a duplicate of this CVE, however we have noted that CVE-2009-1563 was fixed in some Firefox errata.
Comment 10 Vincent Danen 2010-12-20 13:25:35 EST
*** Bug 530162 has been marked as a duplicate of this bug. ***
Comment 11 Tomas Hoger 2014-03-18 11:11:48 EDT
Affected dtoa implementation is or was used in multiple projects.  Comment 0 above mentions OpenBSD and NetBSD, along with KDE Konqueror browser JavaScript engine kjs, and Mozilla products (Firefox, Seamonkey and Thunderbird).

Mozilla products shipped in Red Hat Enterprise Linux were fixed via the following errata:

firefox
https://rhn.redhat.com/errata/RHSA-2009-1530.html

seamonkey
https://rhn.redhat.com/errata/RHSA-2009-1531.html

thunderbird
https://rhn.redhat.com/errata/RHSA-2010-0153.html
https://rhn.redhat.com/errata/RHSA-2010-0154.html

Comment 9 mentions that CVE-2009-1563 was originally used in Mozilla errata, but the CVE id was later rejected as duplicate of this CVE-2009-0689.

More recently, the issue was fixed in ruby using a different CVE id CVE-2013-4164 (bug 1033460) for the same issue.
Comment 12 errata-xmlrpc 2014-03-18 15:43:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 5.3 Long Life
  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2014:0312 https://rhn.redhat.com/errata/RHSA-2014-0312.html
Comment 13 errata-xmlrpc 2014-03-18 15:45:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html
Comment 14 Tomas Hoger 2014-03-18 16:46:34 EDT
This issue also affected PHP and was fixed upstream in version 5.2.2 before this was fixed in kdelibs or Mozilla products.  For further details, see bug 1057555.  Errata listed in comment 12 and comment 13 are for php packages in Red Hat Enterprise Linux 5 that were affected by the issue.
Comment 15 Tomas Hoger 2014-03-18 16:48:46 EDT
There are other projects that use this dtoa implementation and already include a fix for this issue (python, mysql, mariadb, nspr), or used it in the past (v8).