[Pkg-dia-team] Bug#368202: dia: CVE-2006-2480: format string vulnerability

Alec Berryman alec at thened.net
Sat May 20 13:32:30 UTC 2006

Package: dia
Version: 0.95.0-3
Severity: normal
Tags: security patch

CVE-2006-2480: "Format string vulnerability in Dia 0.94 allows
user-complicit attackers to cause a denial of service (crash) and
possibly execute arbitrary code via format string specifiers in a .bmp
filename. NOTE: since the exploit occurs through a command line
argument, it is possible that this is not a vulnerability, unless there
exist typical mechanisms under which the filename is automatically
provided to Dia via another product, such as a browser."

This is GNOME Bugzilla #342111 [1]; there is a proposed patch [2]
attached to that entry.  Although the CVE mentions only version 0.94,
Debian's 0.95.0-3 is vulnerable, and I am able to reproduce the issue
with the instructions in Bugzilla.  With the patch applied, Dia no
longer crashes but gives a "can't open" message.

Please mention the CVE number in your changelog.



[1] http://bugzilla.gnome.org/show_bug.cgi?id=342111
[2] http://bugzilla.gnome.org/attachment.cgi?id=65665&action=view

More information about the Pkg-dia-team mailing list