Bug 539784 (CVE-2009-0689) - CVE-2009-0689 array index error in dtoa implementation of many products
Summary: CVE-2009-0689 array index error in dtoa implementation of many products
Alias: CVE-2009-0689
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
: CVE-2009-1563 (view as bug list)
Depends On: 539714 539715 539716 539717 539804 539805 539806 833919 1067646 1067647 1067657 1067658 1067659 1117439 1117440
Blocks: 1077839
TreeView+ depends on / blocked
Reported: 2009-11-21 02:50 UTC by Vincent Danen
Modified: 2019-09-29 12:33 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-20 18:22:44 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1601 0 normal SHIPPED_LIVE Critical: kdelibs security update 2009-11-24 23:23:20 UTC
Red Hat Product Errata RHSA-2014:0311 0 normal SHIPPED_LIVE Critical: php security update 2014-03-18 23:43:38 UTC
Red Hat Product Errata RHSA-2014:0312 0 normal SHIPPED_LIVE Critical: php security update 2014-03-18 23:43:14 UTC

Description Vincent Danen 2009-11-21 02:50:07 UTC
It was reported [1] that KDE's kdelibs 4.3.3, and possibly earlier versions, suffers from a flaw in its dtoa implementation.  A heap-based buffer overflow in the string to floating point number conversion routines could allow an attacker to craft some malicious JavaScript code containing a very long string to be converted to a floating point number.  This could result in improper memory allocation and the execution of an arbitrary memory location, which could be leveraged to run arbitrary code on the victim's computer.

This same flaw was originally reported against OpenBSD and NetBSD [2], and is similar to the Mozilla flaw CVE-2009-1563.  A patch to correct this issue was commited to kdelibs/kjs/dtoa.cpp today [3].

[1] http://marc.info/?l=full-disclosure&m=125867830114502&w=2
[2] http://securityreason.com/achievement_securityalert/63
[3] http://lists.kde.org/?l=kde-commits&m=125874573511598&w=2

Comment 8 errata-xmlrpc 2009-11-24 23:23:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1601 https://rhn.redhat.com/errata/RHSA-2009-1601.html

Comment 9 Vincent Danen 2010-12-20 18:22:44 UTC
An updated MITRE description for this is:

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. 

Note that CVE-2009-1563 was made a duplicate of this CVE, however we have noted that CVE-2009-1563 was fixed in some Firefox errata.

Comment 10 Vincent Danen 2010-12-20 18:25:35 UTC
*** Bug 530162 has been marked as a duplicate of this bug. ***

Comment 11 Tomas Hoger 2014-03-18 15:11:48 UTC
Affected dtoa implementation is or was used in multiple projects.  Comment 0 above mentions OpenBSD and NetBSD, along with KDE Konqueror browser JavaScript engine kjs, and Mozilla products (Firefox, Seamonkey and Thunderbird).

Mozilla products shipped in Red Hat Enterprise Linux were fixed via the following errata:




Comment 9 mentions that CVE-2009-1563 was originally used in Mozilla errata, but the CVE id was later rejected as duplicate of this CVE-2009-0689.

More recently, the issue was fixed in ruby using a different CVE id CVE-2013-4164 (bug 1033460) for the same issue.

Comment 12 errata-xmlrpc 2014-03-18 19:43:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 5.3 Long Life
  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2014:0312 https://rhn.redhat.com/errata/RHSA-2014-0312.html

Comment 13 errata-xmlrpc 2014-03-18 19:45:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html

Comment 14 Tomas Hoger 2014-03-18 20:46:34 UTC
This issue also affected PHP and was fixed upstream in version 5.2.2 before this was fixed in kdelibs or Mozilla products.  For further details, see bug 1057555.  Errata listed in comment 12 and comment 13 are for php packages in Red Hat Enterprise Linux 5 that were affected by the issue.

Comment 15 Tomas Hoger 2014-03-18 20:48:46 UTC
There are other projects that use this dtoa implementation and already include a fix for this issue (python, mysql, mariadb, nspr), or used it in the past (v8).

Note You need to log in before you can comment on or make changes to this bug.