Bug 192538
Summary: | CVE-2006-2480: dia format string vulnerability | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <scop> |
Component: | dia | Assignee: | Caolan McNamara <caolanm> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | fedora-security-list |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-23 07:46:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ville Skyttä
2006-05-20 09:35:56 UTC
f-security-list: note that this is not in audit/fc4, I don't think I have permissions to commit to that. Please don't patch this issue yet. I plan to have a look through the dia source for additional format string vulnerabilities (I seriously doubt this is the only one). This comment of mine collided with John's comment, so its a bit stale: --- I've fixed this for FE using the patch attached to upstream's BZ (after checking / verifying it). And yes, this most definetly is a vulnerability. The current example of the string format vulnerability is rather harmless, but I _think_ it will be possbile to exploit this by getting people to open malformed files with dia. Also talking about dia, in my memory a security hole was found in one of the dia import filters during the 0.95 pre cycle, I dunno if dia 0.94 had this hole though (and my memory may be wrong altogther mixing up events). --- Now with John's new comment in mind, I guess the same goes for dia in FE? After seeing the BZ collision with your comment I tried to kill my builds of the fix, but I was too late a new version with the patch has been successfully build for FE-5 and devel. I guess thats what I get for being quick. Anyways what do we do now? Ask the new versions to be removed from the needsign and push queue? Or just release them and release again when you're done with your audit? How (un)lucky can one get? My dia build for FE was just signed and pushed, so its too late to remove it from the queue. I'm closing the BZ ticket on this for FE. Please open a new one when you find anything. I'm fedora-security-list, so I'll keep following this ticket through the list. Sorry, that was me, I saw the commit and saw it also ready in the needsign queue so I decided to do a push before seeing these comments. Forgot to note that when checking for format string issues, pscan from Extras can save some grunt work, eg. find . -name "*.c" -o -name "*.h" | xargs pscan -w "$@" |