Red Hat Bugzilla – Bug 192538
CVE-2006-2480: dia format string vulnerability
Last modified: 2007-11-30 17:11:33 EST
+++ This bug was initially created as a clone of Bug #192535 +++
Reproducer in GNOME Bugzilla, appears to affect 0.95 too:
The CVE notes that this may not be a vulnerability, but it is a reproducible
crash in any case. (Note: I haven't tested the FC4 package, but at least the
FE5 one has this problem.)
f-security-list: note that this is not in audit/fc4, I don't think I have
permissions to commit to that.
Please don't patch this issue yet. I plan to have a look through the dia source
for additional format string vulnerabilities (I seriously doubt this is the only
This comment of mine collided with John's comment, so its a bit stale:
I've fixed this for FE using the patch attached to upstream's BZ (after checking
/ verifying it).
And yes, this most definetly is a vulnerability. The current example of the
string format vulnerability is rather harmless, but I _think_ it will be
possbile to exploit this by getting people to open malformed files with dia.
Also talking about dia, in my memory a security hole was found in one of the dia
import filters during the 0.95 pre cycle, I dunno if dia 0.94 had this hole
though (and my memory may be wrong altogther mixing up events).
Now with John's new comment in mind, I guess the same goes for dia in FE?
After seeing the BZ collision with your comment I tried to kill my builds of the
fix, but I was too late a new version with the patch has been successfully build
for FE-5 and devel. I guess thats what I get for being quick.
Anyways what do we do now? Ask the new versions to be removed from the needsign
and push queue? Or just release them and release again when you're done with
How (un)lucky can one get?
My dia build for FE was just signed and pushed, so its too late to remove it
from the queue. I'm closing the BZ ticket on this for FE. Please open a new one
when you find anything. I'm fedora-security-list, so I'll keep following this
ticket through the list.
Sorry, that was me, I saw the commit and saw it also ready in the needsign queue
so I decided to do a push before seeing these comments.
Forgot to note that when checking for format string issues, pscan from Extras
can save some grunt work, eg.
find . -name "*.c" -o -name "*.h" | xargs pscan -w "$@"
*** This bug has been marked as a duplicate of 192699 ***