6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.97 High
EPSS
Percentile
99.7%
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c)
and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as
used in multiple operating systems and products including in FreeBSD 6.4
and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and
3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products,
allows context-dependent attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a large
precision value in the format argument to a printf function, which triggers
incorrect memory allocation and a heap-based buffer overflow during
conversion to a floating-point number.
Author | Note |
---|---|
mdeslaur | description omitted KDE. Mozilla has CVE-2009-1563 for the same issue. Red Hat released RHSA-2009:1601-01 to fix kdelibs |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 8.10 | noarch | kde4libs | < 4:4.1.4-0ubuntu1~intrepid1.5 | UNKNOWN |
ubuntu | 9.04 | noarch | kde4libs | < 4:4.2.2-0ubuntu5.4 | UNKNOWN |
ubuntu | 9.10 | noarch | kde4libs | < 4:4.3.2-0ubuntu7.2 | UNKNOWN |
ubuntu | 10.04 | noarch | kde4libs | < 4:3.5.10.dfsg.1-2.1ubuntu4 | UNKNOWN |
ubuntu | 8.04 | noarch | kdelibs | < 4:3.5.10-0ubuntu1~hardy1.5 | UNKNOWN |
ubuntu | 8.10 | noarch | kdelibs | < 4:3.5.10-0ubuntu6.4 | UNKNOWN |
ubuntu | 9.04 | noarch | kdelibs | < 4:3.5.10.dfsg.1-1ubuntu8.4 | UNKNOWN |
ubuntu | 9.10 | noarch | kdelibs | < 4:3.5.10.dfsg.1-2ubuntu7.2 | UNKNOWN |
ubuntu | 10.04 | noarch | kdelibs | < 4:3.5.10.dfsg.1-2.1ubuntu4 | UNKNOWN |
ubuntu | 8.04 | noarch | thunderbird | < 2.0.0.24+build1+nobinonly-0ubuntu0.8.04.1 | UNKNOWN |
marc.info/?l=full-disclosure&m=125867830114502&w=2
securityreason.com/achievement_securityalert/63
securityreason.com/achievement_securityalert/74
launchpad.net/bugs/cve/CVE-2009-0689
nvd.nist.gov/vuln/detail/CVE-2009-0689
rhn.redhat.com/errata/RHSA-2009-1601.html
security-tracker.debian.org/tracker/CVE-2009-0689
ubuntu.com/security/notices/USN-871-1
ubuntu.com/security/notices/USN-915-1
www.cve.org/CVERecord?id=CVE-2009-0689