Bug 546371 (CVE-2009-1563) - VUL-0: CVE-2009-1563: mozilla-nspr: Array indexing error in NSPR's Balloc()
Summary: VUL-0: CVE-2009-1563: mozilla-nspr: Array indexing error in NSPR's Balloc()
Status: RESOLVED FIXED
Alias: CVE-2009-1563
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Other
: P2 - High : Critical
Target Milestone: ---
Assignee: Brian Merrell
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:11.0:28529 maint:relea...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-13 07:00 UTC by Wolfgang Rosenauer
Modified: 2021-12-07 16:16 UTC (History)
1 user (show)

See Also:
Found By: Third Party Developer/Partner
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Rosenauer 2009-10-13 07:00:30 UTC 
This was reported to Mozilla from Secunia.
"We have assigned this vulnerability Secunia advisory SA36711 and CVE
identifier CVE-2009-1563."

Upstream bugreport is not public yet.

---
The vulnerability is caused due to an array indexing error while
allocating space for floating point numbers. This can be exploited to
trigger a memory corruption via a specially crafted floating point
number.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 3.0.14 and 3.5.3. Other
versions may also be affected.
---

The reason seems to be netlib's dtoa.c implementation which is reused in NSPR (and also Mozilla JS engine (which gets fixed together with the next xulrunner update round).

As we ship a standalone NSPR we need to fix it there.

Fixed upstream version is 4.8.2 which is available. Backport should be possible I think in case it's needed.
Comment 1 Ludwig Nussel 2009-10-13 07:09:15 UTC 
Thanks for the notification! Is there a CRD?
Comment 2 Swamp Workflow Management 2009-10-13 07:12:49 UTC 
The SWAMPID for this issue is 27894.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/27894)
Comment 3 Wolfgang Rosenauer 2009-10-13 07:46:22 UTC 
I can't find a CRD in the Mozilla report therefore I don't think there is one but not absolutely sure.
Comment 4 Marcus Meissner 2009-10-26 13:29:48 UTC 
could someone please submit fixed packages to the older distros?

10.3,11.0,11.1, sle11,sles10sp2,sles10sp3 

(the same source should work everywhere I think.)
Comment 5 Peng Wu 2009-10-28 03:55:26 UTC 
I will take care of this.
Comment 8 Marcus Meissner 2009-10-30 13:26:27 UTC 
Brian, we also needs this for the current update round (SLE and openSUSE)
,regardless of the product it is currently assigned to.



MFSA 2009-59 / CVE-2009-1563:
Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.
Comment 9 Brian Merrell 2009-11-03 07:30:23 UTC 
Submitted for SUSE:SLE-11:Update (req id 2542), SUSE:SLE-10-SP3:Update (req id 2543), and SUSE:SLE-10-SP2:Update (req id 2544).

Will submit for openSUSE next.
Comment 10 Brian Merrell 2009-11-03 21:20:20 UTC 
Submitted for openSUSE:11.0:Update (req id 23808) and openSUSE:11.1:Update (req id 23809)
Comment 11 Brian Merrell 2009-11-03 21:23:04 UTC 
(In reply to comment #4)
> could someone please submit fixed packages to the older distros?
> 
> 10.3,11.0,11.1, sle11,sles10sp2,sles10sp3 
> 
> (the same source should work everywhere I think.)

Everything should be submitted at this point.

openSUSE 10.3 is no longer supported (as of 10/31), so I did not submit packages for it.  Marcus informed me of this via IRC.
Comment 12 Thomas Biege 2009-11-04 13:44:36 UTC 
CVE-2009-1563: CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Comment 13 Swamp Workflow Management 2009-11-06 13:42:02 UTC 
Update released for: mozilla-nspr, mozilla-nspr-debuginfo, mozilla-nspr-debugsource, mozilla-nspr-devel
Products:
openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64)
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
Comment 14 Swamp Workflow Management 2009-11-06 23:08:47 UTC 
Update released for: mozilla-nspr, mozilla-nspr-devel
Products:
SLE-DESKTOP 10-SP2 (i386, x86_64)
SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Comment 15 Swamp Workflow Management 2009-11-06 23:08:56 UTC 
Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Comment 16 Swamp Workflow Management 2009-11-06 23:09:36 UTC 
Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-64bit, mozilla-nspr-debuginfo, mozilla-nspr-devel, mozilla-nspr-x86
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 17 Marcus Meissner 2009-11-23 15:28:00 UTC 
all done and released but moblin. lets close.
Comment 18 Swamp Workflow Management 2009-11-24 12:12:45 UTC 
Update released for: mozilla-nspr, mozilla-nspr-debuginfo, mozilla-nspr-debugsource, mozilla-nspr-devel
Products:
SUSE-MOBLIN 2.0 (i386)
SUSE-MOBLIN 2.0-DEBUG (i386)
Comment 19 Bernhard Wiedemann 2016-04-15 09:59:06 UTC 
This is an autogenerated message for OBS integration:
This bug (546371) was mentioned in
https://build.opensuse.org/request/show/23808 11.0 / mozilla-nspr
https://build.opensuse.org/request/show/23809 11.1 / mozilla-nspr