Hide Forgot
It was reported [1] that KDE's kdelibs 4.3.3, and possibly earlier versions, suffers from a flaw in its dtoa implementation. A heap-based buffer overflow in the string to floating point number conversion routines could allow an attacker to craft some malicious JavaScript code containing a very long string to be converted to a floating point number. This could result in improper memory allocation and the execution of an arbitrary memory location, which could be leveraged to run arbitrary code on the victim's computer. This same flaw was originally reported against OpenBSD and NetBSD [2], and is similar to the Mozilla flaw CVE-2009-1563. A patch to correct this issue was commited to kdelibs/kjs/dtoa.cpp today [3]. [1] http://marc.info/?l=full-disclosure&m=125867830114502&w=2 [2] http://securityreason.com/achievement_securityalert/63 [3] http://lists.kde.org/?l=kde-commits&m=125874573511598&w=2 http://websvn.kde.org/?view=revision&revision=1052100
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1601 https://rhn.redhat.com/errata/RHSA-2009-1601.html
An updated MITRE description for this is: Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. Note that CVE-2009-1563 was made a duplicate of this CVE, however we have noted that CVE-2009-1563 was fixed in some Firefox errata.
*** Bug 530162 has been marked as a duplicate of this bug. ***
Affected dtoa implementation is or was used in multiple projects. Comment 0 above mentions OpenBSD and NetBSD, along with KDE Konqueror browser JavaScript engine kjs, and Mozilla products (Firefox, Seamonkey and Thunderbird). Mozilla products shipped in Red Hat Enterprise Linux were fixed via the following errata: firefox https://rhn.redhat.com/errata/RHSA-2009-1530.html seamonkey https://rhn.redhat.com/errata/RHSA-2009-1531.html thunderbird https://rhn.redhat.com/errata/RHSA-2010-0153.html https://rhn.redhat.com/errata/RHSA-2010-0154.html Comment 9 mentions that CVE-2009-1563 was originally used in Mozilla errata, but the CVE id was later rejected as duplicate of this CVE-2009-0689. More recently, the issue was fixed in ruby using a different CVE id CVE-2013-4164 (bug 1033460) for the same issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 5.9 EUS - Server Only Red Hat Enterprise Linux 5.3 Long Life Red Hat Enterprise Linux 5.6 Long Life Via RHSA-2014:0312 https://rhn.redhat.com/errata/RHSA-2014-0312.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html
This issue also affected PHP and was fixed upstream in version 5.2.2 before this was fixed in kdelibs or Mozilla products. For further details, see bug 1057555. Errata listed in comment 12 and comment 13 are for php packages in Red Hat Enterprise Linux 5 that were affected by the issue.
There are other projects that use this dtoa implementation and already include a fix for this issue (python, mysql, mariadb, nspr), or used it in the past (v8).