Bug 188108

Summary: CVE-2006-1550 Dia multiple buffer overflows
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: diaAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
Whiteboard: impact=moderate, LEGACY, rhl73, rhl9, 1, 2, 3, NEEDSWORK
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-12 23:27:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 187401, 187402    
Bug Blocks:    

Description David Eisenstein 2006-04-06 03:18:04 UTC 
+++ This bug was initially created as a clone of Bug #187401 +++

Dia multiple buffer overflows

infamous41md discovered three buffer overflows in Dia's xfig importer.
The issues are caused by unchecked input from the xfig file.

The patch can be found here:
http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html


This issue also affects RHEL2.1

-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127062)
Demo Exploit #1


-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127063)
Demo Exploit #2


-- Additional comment from bressers on 2006-03-30 13:45 EST --
Created an attachment (id=127064)
Demo Exploit #3
Comment 1 David Eisenstein 2006-04-06 03:59:15 UTC 
CVE-2006-1550 states:

"Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87
and later before 0.95-pre6 allow user-complicit attackers to have an unknown
impact via a crafted xfig file, possibly involving an invalid (1) color index,
(2) number of points, or (3) depth.'

Fedora Legacy versions affected
  Distro      Package
  -------     ------------------------------
  RHL 7.3     dia-0.88.1-3
  RHL 9       dia-0.90-11
  FC1         dia-0.92.2-1
  FC2         dia-0.92.2-3.1
  FC3         dia-0.94-5.fc3

FC4 issued an errata, FEDORA-2006-261 <http://tinyurl.com/kyrry>, issued on
2005-04-05, related to Bug #187402.  (dia-0.94-13.fc4).

Also, since dia was transferred to Fedora Extras for FC5, an errata (or update)
was issued by them in Bug #187556 (dia-0.94-21).

I am wondering -- does anything in the system depend on dia?  If not, would
it be in our interest to upgrade RHL7.3, RHL9, FC1 & FC2 to dia-0.94, since
that is the version for which the patch had been created?  We've had pretty good
success upgrading mozilla and ethereal in that way. . . .
Comment 2 kashif 2006-04-20 10:19:37 UTC 
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system:  memory allocation, process allocation, device
input and output, etc.The Dia drawing program is designed to be like the
Windows(TM) Visio
program. 
 Dia can be used to draw different types of diagrams, and
includes support for UML static structure diagrams (class diagrams),
entity relationship modeling, and network diagrams.  Dia can load and
save diagrams to a custom file format, can load and save in .xml format,
and can export to PostScript(TM).
Comment 3 Marc Deslauriers 2006-05-12 23:27:50 UTC 

*** This bug has been marked as a duplicate of 190942 ***