Strix
26.1K

CVE-2009-0689

UnknownEPSS 28.17%

Last modified

CVE-2009-0689 is a vulnerability of currently unknown severity. Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.. EPSS estimates a 28.17% chance of exploitation in the next 30 days.

Description

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

Metrics

EPSS Probability
28.17%

97.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
K-Meleon ProjectK-Meleon1.5.3
MozillaFirefox3.0.1
MozillaFirefox3.0.2
MozillaFirefox3.0.3
MozillaFirefox3.0.4
MozillaFirefox3.0.5
MozillaFirefox3.0.6
MozillaFirefox3.0.7
MozillaFirefox3.0.8
MozillaFirefox3.0.9
MozillaFirefox3.0.10
MozillaFirefox3.0.11
MozillaFirefox3.0.12
MozillaFirefox3.0.13
MozillaFirefox3.0.14
MozillaFirefox3.5
MozillaFirefox3.5.1
MozillaFirefox3.5.2
MozillaFirefox3.5.3
MozillaSeamonkey1.1.8
FreebsdFreebsd6.4
FreebsdFreebsd7.2
NetbsdNetbsd5.0
OpenbsdOpenbsd4.5

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2009-0689?
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
How severe is CVE-2009-0689?
Severity scoring for CVE-2009-0689 is pending analysis. The EPSS model estimates a 28.17% probability of exploitation in the next 30 days.
How do I fix CVE-2009-0689?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-0689?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST