Severity: : Medium
  CVE Kennungen: : CVE-2009-0689
  Advisory Date: 21 de lipca de 2015

  DESCRIPTION

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

  INFORMATION EXPOSURE

Apply associated Trend Micro DPI Rules.

  SOLUTION

  Trend Micro Deep Security DPI Rule Number: 1003908
  Trend Micro Deep Security DPI Rule Name: 1003908 - Opera Web Browser 'dtoa()' Remote Code Execution Vulnerability

  AFFECTED SOFTWARE AND VERSION:

  • FreeBSD FreeBSD 6.4
  • FreeBSD FreeBSD 7.2
  • K-Meleon Project K-Meleon 1.5.3
  • Mozilla Firefox 3.0.1
  • Mozilla Firefox 3.0.10
  • Mozilla Firefox 3.0.11
  • Mozilla Firefox 3.0.12
  • Mozilla Firefox 3.0.13
  • Mozilla Firefox 3.0.14
  • Mozilla Firefox 3.0.2
  • Mozilla Firefox 3.0.3
  • Mozilla Firefox 3.0.4
  • Mozilla Firefox 3.0.5
  • Mozilla Firefox 3.0.6
  • Mozilla Firefox 3.0.7
  • Mozilla Firefox 3.0.8
  • Mozilla Firefox 3.0.9
  • Mozilla Firefox 3.5
  • Mozilla Firefox 3.5.1
  • Mozilla Firefox 3.5.2
  • Mozilla Firefox 3.5.3
  • Mozilla Seamonkey 1.1.8
  • NetBSD NetBSD 5.0
  • OpenBSD OpenBSD 4.5