Bug 190942

Summary: CVE-2006-1550 Dia multiple buffer overflows and string format vulnerabilities (CVE-2005-2966, CVE-2006-2480, CVE-2006-2453)
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: diaAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: deisenst, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate, LEGACY, rh73, rh9, 1, 2, 3, NEEDSWORK
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-30 20:00:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 192699, 192830    
Bug Blocks:    

Description Marc Deslauriers 2006-05-06 22:06:43 UTC 
+++ This bug was initially created as a clone of Bug #187401 +++

Dia multiple buffer overflows

infamous41md discovered three buffer overflows in Dia's xfig importer.
The issues are caused by unchecked input from the xfig file.

The patch can be found here:
http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html


This issue also affects RHEL2.1

-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127062)
Demo Exploit #1


-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127063)
Demo Exploit #2


-- Additional comment from bressers on 2006-03-30 13:45 EST --
Created an attachment (id=127064)
Demo Exploit #3


-- Additional comment from caolanm on 2006-04-03 05:49 EST --
For bug 187559, RHEL-4 has been rebuilt and mkerrata re-ran#

dist-4E-errata-candidate dia-0.94-5.3


-- Additional comment from caolanm on 2006-04-04 03:36 EST --
dist-2.1AS-errata-candidate dia-0.88.1-3.2 has been respun and mkerrata run for
RHEL-2.1 to pick-up fixed buildroot.

-- Additional comment from caolanm on 2006-04-28 05:53 EST --
RHEL-4 packages rebuilt to avoid huge mem alloc on invalid record size and
mkerrata has been rerun for RHEL-4

dist-4E-errata-candidate dia-0.94-5.4

-- Additional comment from bugzilla on 2006-05-03 11:56 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0280.html
Comment 1 Marc Deslauriers 2006-05-07 03:27:15 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA.

7f2630052615cad2e86dce113fb09a8fbdf15064  7.3/dia-0.88.1-3.1.legacy.src.rpm
f24bb78d953e4a818528fe582d8c985d36f5d4d4  9/dia-0.90-11.1.legacy.src.rpm
60d8615212e807dd9579317b74046483eb850496  1/dia-0.92.2-1.1.legacy.src.rpm
ca3212f3c249d5ba8ed4e969428d98a38b265533  2/dia-0.92.2-3.1.1.legacy.src.rpm
0736cf8804b65194e12dcd87cd897ef446234cdb  3/dia-0.94-5.fc3.1.legacy.src.rpm

Downloads:

http://www.infostrategique.com/linuxrpms/legacy/7.3/dia-0.88.1-3.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/dia-0.90-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/dia-0.92.2-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/dia-0.92.2-3.1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/dia-0.94-5.fc3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEXWuALMAs/0C4zNoRAvyjAJ9ESKsU0KOTguO+uX3GHOpQwyAfFwCfXB50
OQLO9l0xn9bOq9vI1208/Ew=
=YxKR
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-05-07 04:56:23 UTC 
Two questions:

 - in RHL9, the patch appears to be commented out?  Does this package require to
be re-spun, or can this be fixed at build time?
 - Are we affected by CVE-2005-2966? RHEL hasn't patched it at least and
bugzilla search is not working properly so I can't check whether there is bz#
for it..

Other than that, looks good.
Comment 3 Marc Deslauriers 2006-05-07 14:13:22 UTC 
Argh...thanks for noticing the commented out patch in rh9...

You're right. Looks like we're affected by CVE-2005-2966. I can't find a
bugzilla entry for it for RHEL either, but Debian has a patch we can use.

I'll respin these.
Comment 4 Marc Deslauriers 2006-05-07 14:14:43 UTC 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330890

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge3.diff.gz
Comment 5 Marc Deslauriers 2006-05-12 23:28:02 UTC 
*** Bug 188108 has been marked as a duplicate of this bug. ***
Comment 6 David Eisenstein 2006-05-27 23:38:56 UTC 
Looks like there are more potential issues with dia than the CVE-2006-1550 issue
addressed by this bugzilla ticket.  Hans de Goede of the Fedora Security project
has fixed two format string vulnerabilities for the FE5 version of dia for two
new CVE's:

 *  CVE-2006-2480 - "Format string vulnerability in Dia 0.94 allows
    user-complicit attackers to cause a denial of service (crash) and
    possibly execute arbitrary code by triggering errors or warnings,
    as demonstrated via format string specifiers in a .bmp filename. 
    NOTE: the original exploit was demonstrated through a command line
    argument, but there are other mechanisms inputs that are automatically
    process by Dia, such as a crafted .dia file."  (See Bug #192535 for FE5;
    and Bug #192538 & Bug #192699 for FC4).

*   CVE-2006-2453 - Additional dia format string flaws ("** RESERVED **
    This candidate has been reserved ... yada yada yada").  (See Bug #192830 
    for FE5, and Bug #192699 for FC4).

I haven't checked the code yet, but I imagine if there are string format
vulnerabilities in dia, that they've been there for a long time, and therefore
fixes for CVE-2006-2453 and CVE-2006-2480 could be backported...
Comment 7 Jesse Keating 2007-08-30 20:00:54 UTC 
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.