Vulnerability CVE-2009-1284 - CERT Civis.Net

Vulnerability Name:

CVE-2009-1284 (CCN-49599)

Assigned:

2009-03-24

Published:

2009-03-24

Updated:

2013-04-19

Summary:

Buffer overflow in BibTeX 0.99 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a long .bib bibliography file.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: Debian Bug report logs - #520920
texlive-base-bin: bibtex crashes with large bib file

Source: CONFIRM
Type: Exploit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920

Source: MITRE
Type: CNA
CVE-2009-1284

Source: CCN
Type: SA34445
TeX Live bibtex Buffer Overflow Vulnerability

Source: SECUNIA
Type: UNKNOWN
34445

Source: GENTOO
Type: UNKNOWN
GLSA-201206-28

Source: CCN
Type: BibTeX Web site
BibTeX

Source: CCN
Type: oss-security Mailing List, Wed, 01 Apr 2009 14:29:57 +0200
CVE request -- bibtex, pam_ssh

Source: MLIST
Type: UNKNOWN
[oss-security] 20090401 CVE request -- bibtex, pam_ssh

Source: CCN
Type: OSVDB ID: 53562
BibTeX BIB File Handling Overflow

Source: CCN
Type: BID-34332
BibTeX '.bib' File Handling Memory Corruption Vulnerability

Source: CCN
Type: BID-34509
TeX Live '.bib' File Buffer Overflow Vulnerability

Source: CCN
Type: USN-937-1
TeX Live vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-937-1

Source: CCN
Type: Red Hat Bugzilla Bug 492136
tetex, texlive: bibtex's invalid reads/writes when parsing big *.bib file

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=492136

Source: XF
Type: UNKNOWN
bibtex-bib-dos(49599)

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-10730

Source: CCN
Type: fedora-package-announce Mailing List, Fri, 13 Nov 2009 02:25:51 +0000
FEDORA-2009-10857

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-10857

Vulnerable Configuration:

Configuration 1:

cpe:/a:bibtex:bibtex:0.99:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:bibtex:bibtex:0.99:*:*:*:*:*:*:*

AND

cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:13403	P	USN-937-1 -- texlive-bin vulnerabilities	2014-06-30