[Pkg-dia-team] Bug#368202: dia: CVE-2006-2480: format string
alec at thened.net
Sat May 20 13:32:30 UTC 2006
Tags: security patch
CVE-2006-2480: "Format string vulnerability in Dia 0.94 allows
user-complicit attackers to cause a denial of service (crash) and
possibly execute arbitrary code via format string specifiers in a .bmp
filename. NOTE: since the exploit occurs through a command line
argument, it is possible that this is not a vulnerability, unless there
exist typical mechanisms under which the filename is automatically
provided to Dia via another product, such as a browser."
This is GNOME Bugzilla #342111 ; there is a proposed patch 
attached to that entry. Although the CVE mentions only version 0.94,
Debian's 0.95.0-3 is vulnerable, and I am able to reproduce the issue
with the instructions in Bugzilla. With the patch applied, Dia no
longer crashes but gives a "can't open" message.
Please mention the CVE number in your changelog.
More information about the Pkg-dia-team