Bug#368202: [Pkg-dia-team] Bug#368202: dia: CVE-2006-2480: format string vulnerability

Roland Stigge stigge at antcom.de
Sun May 21 04:26:28 UTC 2006


thanks for reporting this.

Alec Berryman wrote:
> CVE-2006-2480: "Format string vulnerability in Dia 0.94 allows
> user-complicit attackers to cause a denial of service (crash) and
> possibly execute arbitrary code via format string specifiers in a .bmp
> filename. NOTE: since the exploit occurs through a command line
> argument, it is possible that this is not a vulnerability, unless there
> exist typical mechanisms under which the filename is automatically
> provided to Dia via another product, such as a browser."
> This is GNOME Bugzilla #342111 [1]; there is a proposed patch [2]
> attached to that entry.  Although the CVE mentions only version 0.94,
> Debian's 0.95.0-3 is vulnerable, and I am able to reproduce the issue
> with the instructions in Bugzilla.  With the patch applied, Dia no
> longer crashes but gives a "can't open" message.

Unfortunately, I can't reproduce this in full length. I can see the
error message popup (which I consider natural), but neither dia crashing
nor executing the "malicious code" (printing "DIA").

I would like to have more info about that issue and maybe reproduction
help before pushing the patch (which actually seems to make the code at
least more graceful) to Debian stable.

I probably won't have network access during the next week, so
debian-security, feel free to upload the bugzilla.gnome.org patch to
stable if it turns out to be really necessary.



More information about the Pkg-dia-team mailing list