6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.97 High
EPSS
Percentile
99.7%
It was found that float-parsing code used in Mono before 4.2 is derived from code vulnerable to CVE-2009-0689. The issue concerns the ‘freelist’ array, which is a global array of 16 pointers to ‘Bigint’. This array is part of a memory allocation and reuse system which attempts to reduce the number of ‘malloc’ and ‘free’ calls. The system allocates blocks in power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each size in a linked list rooted at the corresponding cell of ‘freelist’. The ‘Balloc’ and ‘Bfree’ functions which operate this system fail to check if the size parameter ‘k’ is within the allocated 0…15 range. As a result, a sufficiently large allocation will have k=16 and treat the word immediately after ‘freelist’ as a pointer to a previously-allocated chunk. The specific results may vary significantly based on the version, platform, and compiler, since they depend on the layout of variables in memory. An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 5 | noarch | mono | < 3.12.1-1.2 | mono-3.12.1-1.2.mga5 |