vulnerability note CVE-2009-2483

NetBSD: denial of service via proplib

Synthesis of the vulnerability

A local attacker can stop applications or drivers using proplib.

Severity: 1/4. Creation date: 24/06/2009.

Description of the vulnerability

The proplib library is used to manipulate property lists (plist), using booleans (true, false), integers (integer, real) or strings (string), stored in an XML tree. The _prop_object_internalize_by_tag() function of the src/common/lib/libprop/prop_object.c file reads XML tags. However, when an XML tag is not standard (such as "<number>"), this function dereferences the poi->poi_tag pointer which is NULL. This error stops the program. A local attacker can therefore stop applications or drivers using proplib.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: NetBSD: denial of service via proplib. Keywords: NULL NetBSD XML _prop_object_internalize_by_tag denial poi_tag prop_object proplib service. Identifiers: BID-35466, CVE-2009-2483, NetBSD-SA2009-003, VIGILANCE-VUL-8819.

Information sources

Publications and announces Source example: proplib crashes on reading bad XML data

Solutions for this vulnerability

Patch or workaround

Supplements

Attack Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities