Bug 192538 - CVE-2006-2480: dia format string vulnerability
CVE-2006-2480: dia format string vulnerability
Status: CLOSED DUPLICATE of bug 192699
Product: Fedora
Classification: Fedora
Component: dia (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Caolan McNamara
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-05-20 05:35 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-23 03:46:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-05-20 05:35:56 EDT
+++ This bug was initially created as a clone of Bug #192535 +++


Reproducer in GNOME Bugzilla, appears to affect 0.95 too:

The CVE notes that this may not be a vulnerability, but it is a reproducible
crash in any case.  (Note: I haven't tested the FC4 package, but at least the
FE5 one has this problem.)
Comment 1 Ville Skyttä 2006-05-20 05:40:27 EDT
f-security-list: note that this is not in audit/fc4, I don't think I have
permissions to commit to that.
Comment 2 Josh Bressers 2006-05-20 08:31:12 EDT
Please don't patch this issue yet.  I plan to have a look through the dia source
for additional format string vulnerabilities (I seriously doubt this is the only
Comment 3 Hans de Goede 2006-05-20 08:38:49 EDT
This comment of mine collided with John's comment, so its a bit stale:


I've fixed this for FE using the patch attached to upstream's BZ (after checking
/ verifying it).

And yes, this most definetly is a vulnerability. The current example of the
string format vulnerability is rather harmless, but I _think_ it will be
possbile to exploit this by getting people to open malformed files with dia.

Also talking about dia, in my memory a security hole was found in one of the dia
import filters during the 0.95 pre cycle, I dunno if dia 0.94 had this hole
though (and my memory may be wrong altogther mixing up events).


Now with John's new comment in mind, I guess the same goes for dia in FE?
After seeing the BZ collision with your comment I tried to kill my builds of the
fix, but I was too late a new version with the patch has been successfully build
for FE-5 and devel. I guess thats what I get for being quick.

Anyways what do we do now? Ask the new versions to be removed from the needsign
and push queue? Or just release them and release again when you're done with
your audit?
Comment 4 Hans de Goede 2006-05-20 08:45:01 EDT
How (un)lucky can one get?

My dia build for FE was just signed and pushed, so its too late to remove it
from the queue. I'm closing the BZ ticket on this for FE. Please open a new one
when you find anything. I'm fedora-security-list, so I'll keep following this
ticket through the list.
Comment 5 Ville Skyttä 2006-05-20 08:58:10 EDT
Sorry, that was me, I saw the commit and saw it also ready in the needsign queue
so I decided to do a push before seeing these comments.
Comment 6 Ville Skyttä 2006-05-20 09:06:27 EDT
Forgot to note that when checking for format string issues, pscan from Extras
can save some grunt work, eg.
find . -name "*.c" -o -name "*.h" | xargs pscan -w "$@"
Comment 7 Caolan McNamara 2006-05-23 03:46:22 EDT

*** This bug has been marked as a duplicate of 192699 ***

Note You need to log in before you can comment on or make changes to this bug.