Bug 188108 - CVE-2006-1550 Dia multiple buffer overflows
Summary: CVE-2006-1550 Dia multiple buffer overflows
Keywords:
Status: CLOSED DUPLICATE of bug 190942
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: dia
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://mail.gnome.org/archives/dia-li...
Whiteboard: impact=moderate, LEGACY, rhl73, rhl9,...
Depends On: 187401 187402
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-06 03:18 UTC by David Eisenstein
Modified: 2007-04-18 17:41 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-05-12 23:27:50 UTC
Embargoed:

Attachments (Terms of Use)

Description David Eisenstein 2006-04-06 03:18:04 UTC 
+++ This bug was initially created as a clone of Bug #187401 +++

Dia multiple buffer overflows

infamous41md discovered three buffer overflows in Dia's xfig importer.
The issues are caused by unchecked input from the xfig file.

The patch can be found here:
http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html


This issue also affects RHEL2.1

-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127062)
Demo Exploit #1


-- Additional comment from bressers on 2006-03-30 13:44 EST --
Created an attachment (id=127063)
Demo Exploit #2


-- Additional comment from bressers on 2006-03-30 13:45 EST --
Created an attachment (id=127064)
Demo Exploit #3
Comment 1 David Eisenstein 2006-04-06 03:59:15 UTC 
CVE-2006-1550 states:

"Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87
and later before 0.95-pre6 allow user-complicit attackers to have an unknown
impact via a crafted xfig file, possibly involving an invalid (1) color index,
(2) number of points, or (3) depth.'

Fedora Legacy versions affected
  Distro      Package
  -------     ------------------------------
  RHL 7.3     dia-0.88.1-3
  RHL 9       dia-0.90-11
  FC1         dia-0.92.2-1
  FC2         dia-0.92.2-3.1
  FC3         dia-0.94-5.fc3

FC4 issued an errata, FEDORA-2006-261 <http://tinyurl.com/kyrry>, issued on
2005-04-05, related to Bug #187402.  (dia-0.94-13.fc4).

Also, since dia was transferred to Fedora Extras for FC5, an errata (or update)
was issued by them in Bug #187556 (dia-0.94-21).

I am wondering -- does anything in the system depend on dia?  If not, would
it be in our interest to upgrade RHL7.3, RHL9, FC1 & FC2 to dia-0.94, since
that is the version for which the patch had been created?  We've had pretty good
success upgrading mozilla and ethereal in that way. . . .
Comment 2 kashif 2006-04-20 10:19:37 UTC 
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system:  memory allocation, process allocation, device
input and output, etc.The Dia drawing program is designed to be like the
Windows(TM) Visio
program. 
 Dia can be used to draw different types of diagrams, and
includes support for UML static structure diagrams (class diagrams),
entity relationship modeling, and network diagrams.  Dia can load and
save diagrams to a custom file format, can load and save in .xml format,
and can export to PostScript(TM).
Comment 3 Marc Deslauriers 2006-05-12 23:27:50 UTC 

*** This bug has been marked as a duplicate of 190942 ***
Note You need to log in before you can comment on or make changes to this bug.