Bug 539784 - (CVE-2009-0689) CVE-2009-0689 array index error in dtoa implementation of many products
CVE-2009-0689 array index error in dtoa implementation of many products
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
: Security
: CVE-2009-1563 (view as bug list)
Depends On: 539714 539715 539716 539717 539804 539805 539806 833919 1067646 1067647 1067657 1067658 1067659 1117439 1117440
Blocks: 1077839
  Show dependency treegraph
Reported: 2009-11-20 21:50 EST by Vincent Danen
Modified: 2014-08-19 16:36 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-20 13:22:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-11-20 21:50:07 EST
It was reported [1] that KDE's kdelibs 4.3.3, and possibly earlier versions, suffers from a flaw in its dtoa implementation.  A heap-based buffer overflow in the string to floating point number conversion routines could allow an attacker to craft some malicious JavaScript code containing a very long string to be converted to a floating point number.  This could result in improper memory allocation and the execution of an arbitrary memory location, which could be leveraged to run arbitrary code on the victim's computer.

This same flaw was originally reported against OpenBSD and NetBSD [2], and is similar to the Mozilla flaw CVE-2009-1563.  A patch to correct this issue was commited to kdelibs/kjs/dtoa.cpp today [3].

[1] http://marc.info/?l=full-disclosure&m=125867830114502&w=2
[2] http://securityreason.com/achievement_securityalert/63
[3] http://lists.kde.org/?l=kde-commits&m=125874573511598&w=2
Comment 8 errata-xmlrpc 2009-11-24 18:23:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1601 https://rhn.redhat.com/errata/RHSA-2009-1601.html
Comment 9 Vincent Danen 2010-12-20 13:22:44 EST
An updated MITRE description for this is:

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. 

Note that CVE-2009-1563 was made a duplicate of this CVE, however we have noted that CVE-2009-1563 was fixed in some Firefox errata.
Comment 10 Vincent Danen 2010-12-20 13:25:35 EST
*** Bug 530162 has been marked as a duplicate of this bug. ***
Comment 11 Tomas Hoger 2014-03-18 11:11:48 EDT
Affected dtoa implementation is or was used in multiple projects.  Comment 0 above mentions OpenBSD and NetBSD, along with KDE Konqueror browser JavaScript engine kjs, and Mozilla products (Firefox, Seamonkey and Thunderbird).

Mozilla products shipped in Red Hat Enterprise Linux were fixed via the following errata:




Comment 9 mentions that CVE-2009-1563 was originally used in Mozilla errata, but the CVE id was later rejected as duplicate of this CVE-2009-0689.

More recently, the issue was fixed in ruby using a different CVE id CVE-2013-4164 (bug 1033460) for the same issue.
Comment 12 errata-xmlrpc 2014-03-18 15:43:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 5.3 Long Life
  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2014:0312 https://rhn.redhat.com/errata/RHSA-2014-0312.html
Comment 13 errata-xmlrpc 2014-03-18 15:45:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html
Comment 14 Tomas Hoger 2014-03-18 16:46:34 EDT
This issue also affected PHP and was fixed upstream in version 5.2.2 before this was fixed in kdelibs or Mozilla products.  For further details, see bug 1057555.  Errata listed in comment 12 and comment 13 are for php packages in Red Hat Enterprise Linux 5 that were affected by the issue.
Comment 15 Tomas Hoger 2014-03-18 16:48:46 EDT
There are other projects that use this dtoa implementation and already include a fix for this issue (python, mysql, mariadb, nspr), or used it in the past (v8).

Note You need to log in before you can comment on or make changes to this bug.