CVE-2009-3389

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a video with large dimensions.

References

http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://secunia.com/advisories/37699

http://secunia.com/advisories/37785

http://secunia.com/advisories/37856

http://secunia.com/advisories/37881

http://secunia.com/advisories/39317

http://www.mandriva.com/security/advisories?name=MDVSA-2010:043

http://www.mozilla.org/security/announce/2009/mfsa2009-67.html

http://www.novell.com/linux/security/advisories/2009_63_firefox.html

http://www.securityfocus.com/bid/37349

http://www.securityfocus.com/bid/37368

http://www.theora.org/news/#libtheora-1.1.0

http://www.ubuntu.com/usn/USN-874-1

http://www.vupen.com/english/advisories/2009/3547

https://bugzilla.mozilla.org/show_bug.cgi?id=504613

https://bugzilla.mozilla.org/show_bug.cgi?id=515882

https://exchange.xforce.ibmcloud.com/vulnerabilities/54805

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7967

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00995.html

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01034.html

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01041.html

Details

Source: MITRE

Published: 2009-12-17

Updated: 2017-09-19

Type: CWE-189

Risk Information

CVSS v2

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:3.5.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.5.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.5.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.5.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.5.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0:alpha:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0:beta:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.99:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:alpha:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:beta:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.13:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.15:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.16:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:alpha_1:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:alpha_2:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:alpha_3:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0:rc1:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:*:rc2:*:*:*:*:*:* versions up to 2.0 (inclusive)

cpe:2.3:a:mozilla:seamonkey:2.0a1:*:pre:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:2.0a1pre:*:*:*:*:*:*:*

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
71170GLSA-201312-04 : libtheora: Arbitrary code executionNessusGentoo Local Security Checks
high
67974Oracle Linux 3 / 4 : seamonkey (ELSA-2009-1673)NessusOracle Linux Local Security Checks
high
63402GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
critical
50944SuSE 11 Security Update : libtheora (SAT Patch Number 2067)NessusSuSE Local Security Checks
high
49889SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 6735)NessusSuSE Local Security Checks
high
48162Mandriva Linux Security Advisory : firefox (MDVSA-2009:338)NessusMandriva Local Security Checks
high
46316Debian DSA-2045-1 : libtheora - integer overflowNessusDebian Local Security Checks
high
45467openSUSE Security Update : libtheora (libtheora-2069)NessusSuSE Local Security Checks
high
45461openSUSE Security Update : libtheora (libtheora-2069)NessusSuSE Local Security Checks
high
45455openSUSE Security Update : libtheora (libtheora-2069)NessusSuSE Local Security Checks
high
45034SuSE 11.2 Security Update: MozillaThunderbird (2010-03-05)NessusSuSE Local Security Checks
critical
5354Mozilla Thunderbird < 3.0.1 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
medium
44673Mandriva Linux Security Advisory : libtheora (MDVSA-2010:043)NessusMandriva Local Security Checks
high
44111Mozilla Thunderbird < 3.0.1 Multiple VulnerabilitiesNessusWindows
high
43824Ubuntu 9.10 : firefox-3.5, xulrunner-1.9.1 regression (USN-878-1)NessusUbuntu Local Security Checks
high
43619openSUSE Security Update : seamonkey (seamonkey-1738)NessusSuSE Local Security Checks
high
43397SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 6733)NessusSuSE Local Security Checks
high
43386SuSE 11 Security Update : Mozilla Firefox (SAT Patch Number 1709)NessusSuSE Local Security Checks
high
43383openSUSE Security Update : MozillaFirefox (MozillaFirefox-1708)NessusSuSE Local Security Checks
high
43367Ubuntu 9.10 : firefox-3.5, xulrunner-1.9.1 vulnerabilities (USN-874-1)NessusUbuntu Local Security Checks
high
43355CentOS 4 : seamonkey (CESA-2009:1673)NessusCentOS Local Security Checks
high
43339Fedora 12 : Miro-2.5.2-7.fc12 / blam-1.8.5-21.fc12 / firefox-3.5.6-1.fc12 / galeon-2.0.7-19.fc12 / etc (2009-13366)NessusFedora Local Security Checks
high
43336Fedora 12 : seamonkey-2.0.1-1.fc12 (2009-13362)NessusFedora Local Security Checks
high
43334Fedora 11 : Miro-2.5.2-7.fc11 / blam-1.8.5-17.fc11 / chmsee-1.0.1-14.fc11 / epiphany-2.26.3-7.fc11 / etc (2009-13333)NessusFedora Local Security Checks
high
43176FreeBSD : mozilla -- multiple vulnerabilities (01c57d20-ea26-11de-bd39-00248c9b4be7)NessusFreeBSD Local Security Checks
high
801360Mozilla SeaMonkey < 2.0.1 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
5265SeaMonkey < 2.0.1 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
5264Mozilla Firefox < 3.0.16 / 3.5.6 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
43175SeaMonkey < 2.0.1 Multiple VulnerabilitiesNessusWindows
high
43174Firefox 3.5 < 3.5.6 Multiple VulnerabilitiesNessusWindows
high
43170RHEL 3 / 4 : seamonkey (RHSA-2009:1673)NessusRed Hat Local Security Checks
high