CVE-2009-0689

Publication date 1 July 2009

Last updated 24 July 2024


Ubuntu priority

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

Read the notes from the security team

Status

Package Ubuntu Release Status
kde4libs 10.04 LTS lucid
Fixed 4:3.5.10.dfsg.1-2.1ubuntu4
9.10 karmic
Fixed 4:4.3.2-0ubuntu7.2
9.04 jaunty
Fixed 4:4.2.2-0ubuntu5.4
8.10 intrepid
Fixed 4:4.1.4-0ubuntu1~intrepid1.5
8.04 LTS hardy Ignored end of life
6.06 LTS dapper Not in release
kdelibs 10.04 LTS lucid
Fixed 4:3.5.10.dfsg.1-2.1ubuntu4
9.10 karmic
Fixed 4:3.5.10.dfsg.1-2ubuntu7.2
9.04 jaunty
Fixed 4:3.5.10.dfsg.1-1ubuntu8.4
8.10 intrepid
Fixed 4:3.5.10-0ubuntu6.4
8.04 LTS hardy
Fixed 4:3.5.10-0ubuntu1~hardy1.5
6.06 LTS dapper Ignored end of life
thunderbird 10.04 LTS lucid
Not affected
9.10 karmic
Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.10.1
9.04 jaunty
Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.04.1
8.10 intrepid
Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.10.1
8.04 LTS hardy
Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.04.1
6.06 LTS dapper Not in release

Notes


mdeslaur

description omitted KDE. Mozilla has CVE-2009-1563 for the same issue. Red Hat released RHSA-2009:1601-01 to fix kdelibs

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
kde4libs
kdelibs