製品・ソフトウェアに関する情報

JVN脆弱性詳細

libc における任意のコードを実行される脆弱性

Title	libc における任意のコードを実行される脆弱性
Summary	libc の dtoa.c または gdtoa/misc.c には、浮動小数点を変換する処理に不備があるため、任意のコードを実行される、およびサービス運用妨害 (DoS) 状態にされる脆弱性が存在します。
Possible impacts	攻撃者に任意のコードを実行される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 1, 2009, midnight
Registration Date	Jan. 14, 2010, 12:08 p.m.
Last Update	July 13, 2010, 4:28 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

レッドハット

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.4.z (server)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

RHEL Optional Productivity Applications EUS 5.4.z (server)

Mozilla Foundation

Mozilla Firefox 3.0.15 未満

Mozilla Firefox 3.5.4 未満

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

アップル

Apple Mac OS X v10.5.8

Apple Mac OS X v10.6 から v10.6.2

Apple Mac OS X Server v10.5.8

Apple Mac OS X Server v10.6 から v10.6.2

iOS 2.0 から 3.1.3

iOS for iPod touch 2.1 から 3.1.3

iPhone

iPod touch

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-0689	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689
National Vulnerability Database (NVD)
2	CVE-2009-0689	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0689

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT4077	http://support.apple.com/kb/HT4077
2	HT4225	http://support.apple.com/kb/HT4225
Apple セキュリティアップデート
3	HT4077	http://support.apple.com/kb/HT4077?viewlocale=ja_JP
4	HT4225	http://support.apple.com/kb/HT4225?viewlocale=ja_JP
Asianux Technical Support Network
5	kdelibs-3.5.5-11.25AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=777
MIRACLE LINUX アップデート情報
6	1824	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1824
Mozilla Foundation Security Advisory
7	MFSA 2009-59	http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
Mozilla Foundation セキュリティアドバイザリ
8	MFSA 2009-59	http://www.mozilla-japan.org/security/announce/2009/mfsa2009-59.html
Red Hat Security Advisory
9	RHSA-2009:1601	https://rhn.redhat.com/errata/RHSA-2009-1601.html
10	RHSA-2010:0153	http://rhn.redhat.com/errata/RHSA-2010-0153.html
11	RHSA-2010:0154	http://rhn.redhat.com/errata/RHSA-2010-0154.html
レッドハットセキュリティーアップデート
12	RHSA-2009:1601	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1601J.html

その他

No	Name	URL
Secunia Advisory
1	1022478	http://securitytracker.com/id?1022478
SecurityTracker
2	SA37682	http://secunia.com/advisories/37682

Change Log

No	Changed Details	Date of change
0	[2010年01月14日] 掲載 [2010年03月29日] 影響を受けるシステム：レッドハット (RHSA-2010:0153) の情報を追加ベンダ情報：レッドハット (RHSA-2010:0153) を追加ベンダ情報：レッドハット (RHSA-2010:0154) を追加 [2010年04月15日] 影響を受けるシステム：アップル (HT4077) の情報を追加ベンダ情報：アップル (HT4077) を追加 [2010年07月13日] 影響を受けるシステム：アップル (HT4225) の情報を追加ベンダ情報：アップル (HT4225) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-0689

Summary	Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
Publication Date	July 1, 2009, 10 p.m.
Registration Date	Jan. 29, 2021, 1:15 p.m.
Last Update	Nov. 2, 2018, 7:29 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:k-meleon_project:k-meleon:1.5.3:::::::*
cpe:2.3:a:mozilla:firefox:3.0.1:::::::*
cpe:2.3:a:mozilla:firefox:3.0.2:::::::*
cpe:2.3:a:mozilla:firefox:3.0.3:::::::*
cpe:2.3:a:mozilla:firefox:3.0.4:::::::*
cpe:2.3:a:mozilla:firefox:3.0.5:::::::*
cpe:2.3:a:mozilla:firefox:3.0.6:::::::*
cpe:2.3:a:mozilla:firefox:3.0.7:::::::*
cpe:2.3:a:mozilla:firefox:3.0.8:::::::*
cpe:2.3:a:mozilla:firefox:3.0.9:::::::*
cpe:2.3:a:mozilla:firefox:3.0.10:::::::*
cpe:2.3:a:mozilla:firefox:3.0.11:::::::*
cpe:2.3:a:mozilla:firefox:3.0.12:::::::*
cpe:2.3:a:mozilla:firefox:3.0.13:::::::*
cpe:2.3:a:mozilla:firefox:3.0.14:::::::*
cpe:2.3:a:mozilla:firefox:3.5:::::::*
cpe:2.3:a:mozilla:firefox:3.5.1:::::::*
cpe:2.3:a:mozilla:firefox:3.5.2:::::::*
cpe:2.3:a:mozilla:firefox:3.5.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.8:::::::*
cpe:2.3:o:freebsd:freebsd:6.4:::::::*
cpe:2.3:o:freebsd:freebsd:6.4:release::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p2::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p3::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p4::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p5::::::
cpe:2.3:o:freebsd:freebsd:6.4:stable::::::
cpe:2.3:o:freebsd:freebsd:7.2:::::::*
cpe:2.3:o:freebsd:freebsd:7.2:pre-release::::::
cpe:2.3:o:freebsd:freebsd:7.2:stable::::::
cpe:2.3:o:netbsd:netbsd:5.0:::::::*
cpe:2.3:o:openbsd:openbsd:4.5:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h	CONFIRM	Patch
2	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	APPLE	Vendor Advisory
3	http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html	APPLE
4	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html	SUSE
5	http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html	SUSE
6	http://rhn.redhat.com/errata/RHSA-2014-0311.html	REDHAT
7	http://rhn.redhat.com/errata/RHSA-2014-0312.html	REDHAT
8	http://secunia.com/advisories/37431	SECUNIA	Vendor Advisory
9	http://secunia.com/advisories/37682	SECUNIA	Vendor Advisory
10	http://secunia.com/advisories/37683	SECUNIA	Vendor Advisory
11	http://secunia.com/advisories/38066	SECUNIA	Vendor Advisory
12	http://secunia.com/advisories/38977	SECUNIA	Vendor Advisory
13	http://secunia.com/advisories/39001	SECUNIA	Vendor Advisory
14	http://secunia.com/secunia_research/2009-35/	MISC	Vendor Advisory
15	http://securityreason.com/achievement_securityalert/63	SREASONRES	Exploit
16	http://securityreason.com/achievement_securityalert/69	SREASONRES
17	http://securityreason.com/achievement_securityalert/71	SREASONRES
18	http://securityreason.com/achievement_securityalert/72	SREASONRES
19	http://securityreason.com/achievement_securityalert/73	SREASONRES
20	http://securityreason.com/achievement_securityalert/75	SREASONRES
21	http://securityreason.com/achievement_securityalert/76	SREASONRES
22	http://securityreason.com/achievement_securityalert/77	SREASONRES
23	http://securityreason.com/achievement_securityalert/78	SREASONRES
24	http://securityreason.com/achievement_securityalert/81	SREASONRES
25	http://securitytracker.com/id?1022478	SECTRACK	Patch
26	http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1	SUNALERT
27	http://support.apple.com/kb/HT4077	CONFIRM
28	http://support.apple.com/kb/HT4225	CONFIRM
29	http://www.mandriva.com/security/advisories?name=MDVSA-2009:294	MANDRIVA
30	http://www.mandriva.com/security/advisories?name=MDVSA-2009:330	MANDRIVA
31	http://www.mozilla.org/security/announce/2009/mfsa2009-59.html	CONFIRM	Vendor Advisory
32	http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c	CONFIRM	Patch Vendor Advisory
33	http://www.opera.com/support/kb/view/942/	CONFIRM
34	http://www.redhat.com/support/errata/RHSA-2009-1601.html	REDHAT
35	http://www.redhat.com/support/errata/RHSA-2010-0153.html	REDHAT
36	http://www.redhat.com/support/errata/RHSA-2010-0154.html	REDHAT
37	http://www.securityfocus.com/archive/1/507977/100/0/threaded	BUGTRAQ
38	http://www.securityfocus.com/archive/1/507979/100/0/threaded	BUGTRAQ
39	http://www.securityfocus.com/archive/1/508417/100/0/threaded	BUGTRAQ
40	http://www.securityfocus.com/archive/1/508423/100/0/threaded	BUGTRAQ
41	http://www.securityfocus.com/bid/35510	BID	Exploit Patch
42	http://www.ubuntu.com/usn/USN-915-1	UBUNTU
43	http://www.vupen.com/english/advisories/2009/3297	VUPEN	Vendor Advisory
44	http://www.vupen.com/english/advisories/2009/3299	VUPEN	Vendor Advisory
45	http://www.vupen.com/english/advisories/2009/3334	VUPEN	Vendor Advisory
46	http://www.vupen.com/english/advisories/2010/0094	VUPEN	Vendor Advisory
47	http://www.vupen.com/english/advisories/2010/0648	VUPEN	Vendor Advisory
48	http://www.vupen.com/english/advisories/2010/0650	VUPEN	Vendor Advisory
49	https://bugzilla.mozilla.org/show_bug.cgi?id=516396	CONFIRM
50	https://bugzilla.mozilla.org/show_bug.cgi?id=516862	CONFIRM
51	https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html	MLIST
52	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528	OVAL
53	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:k-meleon_project:k-meleon:1.5.3:::::::*
cpe:2.3:a:mozilla:firefox:3.0.1:::::::*
cpe:2.3:a:mozilla:firefox:3.0.2:::::::*
cpe:2.3:a:mozilla:firefox:3.0.3:::::::*
cpe:2.3:a:mozilla:firefox:3.0.4:::::::*
cpe:2.3:a:mozilla:firefox:3.0.5:::::::*
cpe:2.3:a:mozilla:firefox:3.0.6:::::::*
cpe:2.3:a:mozilla:firefox:3.0.7:::::::*
cpe:2.3:a:mozilla:firefox:3.0.8:::::::*
cpe:2.3:a:mozilla:firefox:3.0.9:::::::*
cpe:2.3:a:mozilla:firefox:3.0.10:::::::*
cpe:2.3:a:mozilla:firefox:3.0.11:::::::*
cpe:2.3:a:mozilla:firefox:3.0.12:::::::*
cpe:2.3:a:mozilla:firefox:3.0.13:::::::*
cpe:2.3:a:mozilla:firefox:3.0.14:::::::*
cpe:2.3:a:mozilla:firefox:3.5:::::::*
cpe:2.3:a:mozilla:firefox:3.5.1:::::::*
cpe:2.3:a:mozilla:firefox:3.5.2:::::::*
cpe:2.3:a:mozilla:firefox:3.5.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.8:::::::*
cpe:2.3:o:freebsd:freebsd:6.4:::::::*
cpe:2.3:o:freebsd:freebsd:6.4:release::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p2::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p3::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p4::::::
cpe:2.3:o:freebsd:freebsd:6.4:release_p5::::::
cpe:2.3:o:freebsd:freebsd:6.4:stable::::::
cpe:2.3:o:freebsd:freebsd:7.2:::::::*
cpe:2.3:o:freebsd:freebsd:7.2:pre-release::::::
cpe:2.3:o:freebsd:freebsd:7.2:stable::::::
cpe:2.3:o:netbsd:netbsd:5.0:::::::*
cpe:2.3:o:openbsd:openbsd:4.5:::::::*