CVE-2007-0842

Name of the Vulnerable Software and Affected Versions: Microsoft Visual C++ 8.0 standard library (MSVCR80.DLL) version 8.0

Description: The 64-bit versions of Microsoft Visual C++ 8.0 standard library time functions, including localtime, localtime s, gmtime, gmtime s, ctime, ctime s, wctime, wctime s, and fstat, trigger an assertion error instead of a NULL pointer or EINVAL when processing a time argument later than Jan 1, 3000. This might allow context-dependent attackers to cause a denial of service via large time values. The behavior is inconsistent with documentation, which does not list assertions as a possible result of an error condition.

Recommendations: For Microsoft Visual C++ 8.0 standard library (MSVCR80.DLL) version 8.0, consider validating arguments to the time functions to prevent assertion errors and potential denial of service attacks. As a temporary workaround, consider adding input validation to ensure time values do not exceed Jan 1, 3000, until a more comprehensive solution is available.