Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation resources documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce describes vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability
vulnerability note CVE-2009-2483
NetBSD: denial of service via proplib

Synthesis of the vulnerability
A local attacker can stop applications or drivers using proplib.
Severity: 1/4.
Consequences: denial of service of computer, denial of service of service.
Provenance: user shell.
Means of attack: 1 attack.
Ability of attacker: technician (2/4).
Confidence: confirmed by the editor (5/5).
Diffusion of the vulnerable configuration: high (3/3).
Creation date: 24/06/2009.

Impacted products

Description of the vulnerability
The proplib library is used to manipulate property lists (plist), using booleans (true, false), integers (integer, real) or strings (string), stored in an XML tree.

The _prop_object_internalize_by_tag() function of the src/common/lib/libprop/prop_object.c file reads XML tags. However, when an XML tag is not standard (such as "<number>"), this function dereferences the poi->poi_tag pointer which is NULL. This error stops the program.

A local attacker can therefore stop applications or drivers using proplib.

Characteristics
Title: NetBSD: denial of service via proplib
Identifiers: BID-35466, CVE-2009-2483, NetBSD-SA2009-003, VIGILANCE-VUL-8819.
Url: https://vigilance.fr/tree/1/8819

Information sources
Publications and announces
Source example: proplib crashes on reading bad XML data

Solutions for this vulnerability
Patch or workaround

Supplements

Attack
Exploit 0day or proof of concept



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française