Severity: 2/4

Consequences: user access/rights, denial of service of service, denial of service of client

Provenance: document

Means of attack: 1 proof of concept

Ability of attacker: specialist (3/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 29/06/2009

IMPACTED PRODUCTS

 FreeBSD
 NetBSD
 OpenBSD

DESCRIPTION OF THE VULNERABILITY

Recent versions of FreeBSD, NetBSD and OpenBSD use the gdtoa (double to ascii) library to convert real values to character strings. Functions of the printf() family use gdtoa.

The number of digits of a real number can be indicated in the format parameter. For example, "%2.3f" displays 2 digits before the dot, and 3 after.

When the number of digits after the dot is over 2^18, the size allocated by gdtoa is too short. The memory is then corrupted.

When the attacker can choose a real value, and its display format by a function of the printf() family, he can therefore generate an overflow leading to a denial of service or to code execution.

CHARACTERISTICS

Identifiers: BID-35510, CVE-2009-0689, VIGILANCE-VUL-8828

http://vigilance.fr/vulnerability/BSD-memory-corruption-via-printf-8828