Bug 192830 - CVE-2006-2453 Additional dia format string flaws
CVE-2006-2453 Additional dia format string flaws
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dia (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Hans de Goede
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 190942
  Show dependency treegraph
 
Reported: 2006-05-23 10:20 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 0.95-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-23 15:27:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2006-05-23 10:20:06 EDT
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.

The fix is attachment 129852 [details]
Comment 1 Hans de Goede 2006-05-23 15:27:24 EDT
Yes I know Hans de Goede thats me, the FE dia maintainer, thus also the person
to whom this bug got assigned :)

Anyways 0.95-3 has been build and published for FC-5 and devel fixing this.
Comment 2 Josh Bressers 2006-05-23 16:39:01 EDT
Right, I added the text so nobody would mistakenly attribute me as the author of
the fix.
Comment 3 David Eisenstein 2006-05-27 19:24:30 EDT
Have a question.  If this has been fixed for FC5 (or, I guess the technically
correct moniker would be "FE5"), and this is a security issue -- so people who
need to know (and don't have yum automatically set to update their FC5 systems)
DO know that this has been fixed -- should there not be an announcement for this
fix and the CVE-2006-2480 fix (in Bug 192535) published to the
fedora-package-announce list, like Caolan McNamara's announcement here?:

http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html

Not everybody has yum working to automatically update their FC5 installs, so
unless there is an announcement somewhere, how will they know to update their
dia to dia-0.95-3??

Another unrelated question:  Do you mind if we in Fedora Legacy backport the
fixes you made for maintaining the older legacy versions of dia?  If so, may we
include you, Hans, in the cc: list for such a bugzilla entry?  The open Bugzilla
Bug Fedora Legacy has for dia currently is Bug #190942, in which we also
discovered that the CVE-2005-2966 may not have been covered either here, in FC,
or in RHEL...  (This CVE may not affect FedoraExtras, but may affect Fedora Core
4, RHEL 4/3/2.x?...)
Comment 4 Hans de Goede 2006-05-28 05:49:27 EDT
(In reply to comment #3)
> Have a question.  If this has been fixed for FC5 (or, I guess the technically
> correct moniker would be "FE5"), and this is a security issue -- so people who
> need to know (and don't have yum automatically set to update their FC5 systems)
> DO know that this has been fixed -- should there not be an announcement for this
> fix and the CVE-2006-2480 fix (in Bug 192535) published to the
> fedora-package-announce list, like Caolan McNamara's announcement here?:
> 
> http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html
> 
> Not everybody has yum working to automatically update their FC5 installs, so
> unless there is an announcement somewhere, how will they know to update their
> dia to dia-0.95-3??
> 

I agree, An announcement should be sent for this and for bug 192535. I've asked
the Fedora Security Response Team to post such an announcement in bug 192535,
but no response sofar.

> Another unrelated question:  Do you mind if we in Fedora Legacy backport the
> fixes you made for maintaining the older legacy versions of dia?

Not at all I've also submitted the patch upstream where it has been committed
into CVS as far as I'm concerned the patch is under the same license as dia.

> If so, may we
> include you, Hans, in the cc: list for such a bugzilla entry?  The open Bugzilla
> Bug Fedora Legacy has for dia currently is Bug #190942

Feel free to add me to the CC.

> In which we also
> discovered that the CVE-2005-2966 may not have been covered either here, in FC,
> or in RHEL...  (This CVE may not affect FedoraExtras, but may affect Fedora Core
> 4, RHEL 4/3/2.x?...)

I think this CVE was 0.95 pre release specific, but I'm not sure I did a diff
between the affected and the unaffected dia 0.95-pre releases and both the total
diff and the relevant part of the diff were small and the fix was small and
sane, unfortunatly I didn't keep the fix around as a seperate patch, but
backporting it if it does affect older versions should be simple.
Comment 5 Dennis Gilmore 2006-05-28 12:14:48 EDT
(In reply to comment #4) 
> I agree, An announcement should be sent for this and for bug 192535. I've 
asked
> the Fedora Security Response Team to post such an announcement in bug 
192535,
> but no response sofar.
Hans,  you need to send your own announcements.  post them to the list  and 
Jesse Keating will review  and send  it through.
Comment 6 Hans de Goede 2006-05-28 13:08:09 EDT
Ok,

Template?

Also is this procedure described anywhere? If I don't know while I'm subscribed
to fedora-security-list and somewhat interested security I doubt many others know.

Comment 7 Dennis Gilmore 2006-05-28 13:13:11 EDT
https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00095.html

thats from what i sent for kphone.  this is something that is not described 
anywhere. The three announcements I sent for kphone  are the only extras 
announcements ever. I would base it on that.  
Comment 8 Ville Skyttä 2006-05-28 13:23:41 EDT
I don't think anyone knows more about the status of announcements/templates than
what was recently discussed in the thread starting from
https://www.redhat.com/archives/fedora-security-list/2006-May/msg00066.html
Comment 9 Ville Skyttä 2006-06-29 08:50:19 EDT
Hans, this is still marked as VULNERABLE in audit/fe5.  Could you update the
status in it as appropriate?
Comment 10 Hans de Goede 2006-06-29 08:56:41 EDT
I cannot do that because I don't have the rights todo that I'm not a Security
Response team member (by choice).
Comment 11 Ville Skyttä 2006-06-29 09:00:34 EDT
Oops, sorry, memory didn't serve me well.  I'll take care of it.

Note You need to log in before you can comment on or make changes to this bug.