======================================================================
Secunia Research 28/07/2010
- Autonomy KeyView wkssr.dll -
- Floating Point Conversion Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
Problem Description:
Security issues were identified and fixed in firefox 3.5.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0
Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK,
Apache, JBossweb, and other products, allows remote attackers to cause
a denial of service via a crafted string that triggers an infinite
loop of estimations during conversion to a double-precision binary
floating-point number, as demonstrated using 2.2250738585072012e-308
(CVE-2010-4476).
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
NumberFormatter::getSymbol function could allow an attacker to cause
a denial of service. This issue only affected Ubuntu 10.04 LTS and
Ubuntu 10.10. (CVE-2010-4409)
Rick Regan discovered that when handing PHP textual representations
of the largest subnormal double-precision floating-point number,
the zend_strtod function could go into an infinite loop on 32bit
x86 processors, allowing an attacker to cause a denial of service.
(CVE-2010-4645)
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
RESOLUTION
HP has made the following software tool available to resolve the vulnerability.
The FPUpdater tool (Floating Point Updater) must be run to update the Java Development Kit (JDK) and/or the Java Runtime Environment (JRE). This tool can be used to update all versions of HP-UX Java.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
An HP Passport user ID is required to download the FPUpdater tool and its Readme file. For information on registering for an HP Passport user ID, refer to: https://passport2.hp.com
must visit a malicious page or open a malicious file.
The specific flaw exists when the application parses a PDF file
containing a malformed CLOD Progressive Mesh Continuation Resolution
Update. Specific values can cause a memory corruption during floating
point operations which can be subsequently leveraged to achieve
arbitrary code execution under the privileges of the current user.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
Multiple Denial of Service vulnerabilities were discovered, including a
long "library" parameter in the dl() function (CVE-2007-4887), in
several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783),
in the setlocale() function (CVE-2007-4784), in the glob() and
fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point
exception in the wordwrap() function (CVE-2007-3998), a stack
exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop
caused by a specially crafted PNG image in the png_read_info() function
of libpng (CVE-2007-2756) and several issues related to array
conversion.
RESOLUTION
HP has made the following software tool available to resolve the vulnerability.
The FPUpdater tool (Floating Point Updater) must be run to update the Java Development Kit (JDK) and/or the Java Runtime Environment (JRE). This tool can be used to update all versions of HP-UX Java.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
Note: Before running the FPUpdater tool set the shell environment variable JRE_HOME as follows:
======================================================================
Secunia Research 28/10/2009
- Mozilla Firefox Floating Point Memory Allocation Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
I. Description
The Palm Pre WebOS version <= 1.1 suffers from a floating point exception vulnerability when attempting to view a specially crafted web page. This vulnerability has been addressed in the latest patch from Palm and all users are recommended to update to WebOS version 1.2+.
II. Impact
If a user views a malicious web page that contains specially crafted data, the "LunaSysMgr" process will crash, causing the device to simulate a reboot. The bug itself is a floating point exception that crashes the "LunaSysMgr" process and forces the device to restart the process, simulating a reboot of the system. At the time of the discovery, the greatest risk to the system was a denial of service condition.
The crash does not occur when viewing the malicious web page while in landscape mode.
Multiple buffer overflows in MPFR might lead to a Denial of Service.
Background
==========
MPFR is a library for multiple-precision floating-point computations
with exact rounding.
Affected packages
=================
