Advisories ยป MGASA-2016-0013

Updated mono packages fix security vulnerability

Publication date: 14 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2009-0689


It was found that float-parsing code used in Mono before 4.2 is derived
from code vulnerable to CVE-2009-0689. The issue concerns the 'freelist'
array, which is a global array of 16 pointers to 'Bigint'. This array is
part of a memory allocation and reuse system which attempts to reduce the
number of 'malloc' and 'free' calls. The system allocates blocks in
power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each
size in a linked list rooted at the corresponding cell of 'freelist'. The
'Balloc' and 'Bfree' functions which operate this system fail to check if
the size parameter 'k' is within the allocated 0..15 range. As a result, a
sufficiently large allocation will have k=16 and treat the word
immediately after 'freelist' as a pointer to a previously-allocated chunk.
The specific results may vary significantly based on the version,
platform, and compiler, since they depend on the layout of variables in
memory. An attacker who can cause a carefully-chosen string to be
converted to a floating-point number can cause a crash and potentially
induce arbitrary code execution.