Gentoo Bug 128107 - app-office/dia: Buffer overflow in xfig import (CVE-2006-1550)

Description:

Opened: 2006-03-30 07:03 0000

A voluntary security review of the importers by infamous41md has turned
up three buffer overflow errors in the xfig import code.  These errors
have existed since the code was first created in version 0.87, but are
corrected as of version 0.95-pre6.  The attached patch fixes them for
version 0.94.

------- Comment #1 From Eduardo Tongson 2006-03-30 07:14:06 0000 -------

Created an attachment (id=83432) [details]
/home/ed/dia-0.94_xfigoverflowfix.patch

extracted a working patch from the advisory

------- Comment #2 From Stefan Cornelius (RETIRED) 2006-03-30 07:22:22 0000 -------

gnome-office please provide fixed ebuilds. you can find a patch in the URL of
this bug.

------- Comment #3 From Eduardo Tongson 2006-03-30 07:36:54 0000 -------

Created an attachment (id=83434) [details]
dia-0.94_xfigoverflowfix.patch

fixed a typo

------- Comment #4 From Matthias Geerdsen 2006-04-01 10:18:58 0000 -------

*** Bug 128386 has been marked as a duplicate of this bug. ***

------- Comment #5 From Eduardo Tongson 2006-04-08 02:14:38 0000 -------

Can anybody with commit privs please update the current stable ebuild
(dia-0.94-r3) to add an epatch line for the attachment/patch. Thanks

------- Comment #6 From Thierry Carrez (RETIRED) 2006-04-15 05:21:56 0000 -------

gnome-office, please bump or we may have to mask it.

------- Comment #7 From John N. Laliberte (RETIRED) 2006-04-20 14:42:07 0000 -------

The patch was missing the segment below but -r5 is now committed with the
patch.

--- dia-0.94/plug-ins/xfig/xfig.h       2004-08-16 03:56:21.000000000 -0400
+++ dia-0.94.new/plug-ins/xfig/xfig.h   2006-04-20 17:19:28.000000000 -0400
@@ -6,6 +6,7 @@

 #define FIG_MAX_DEFAULT_COLORS 32
 #define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
 /* 1200 PPI */
 #define FIG_UNIT 472.440944881889763779527559055118
 /* 1/80 inch */

------- Comment #8 From Thomas Cort (RETIRED) 2006-04-20 18:37:48 0000 -------

dia-0.94-r5 stable on alpha.

------- Comment #9 From Matthias Langer 2006-04-20 19:26:57 0000 -------

I've done some testing with dia-0.94-r5 [-debug +gnome +png +python -static
+zlib] on x86. A really nice application that seems to work fine (i wish i had
discovered this app a few weeks earlier) ...

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3,
2.6.15-gentoo-r5 i686)
=================================================================
System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inode.at/ "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts
bonobo bzip2 bzlib cairo cdr cli crypt css cups curl dbus divx4linux dri dts dv
dvd dvdr dvdread emboss encode evo exif expat fam fame ffmpeg firefox flac
foomaticdb fortran gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2
gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms
libg++ libwww mad mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls
nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils
png pppd python quicktime readline real reflection ruby sdl session slang speex
spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff truetype
truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis
win32codecs wma xine xml xml2 xmms xv xvid zlib linguas_en linguas_de
userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS

------- Comment #10 From Jason Wever (RETIRED) 2006-04-20 20:38:12 0000 -------

Stable on SPARC.

------- Comment #11 From Chris Gianelloni (RETIRED) 2006-04-21 06:32:07 0000 -------

...and x86 is done

------- Comment #12 From Tobias Scherbaum 2006-04-21 10:00:56 0000 -------

ppc stable

------- Comment #13 From Markus Rothe 2006-04-22 00:09:52 0000 -------

ppc64 stable

------- Comment #14 From Thomas Cort (RETIRED) 2006-04-22 04:59:39 0000 -------

amd64 stable.

------- Comment #15 From Thierry Carrez (RETIRED) 2006-04-22 10:58:02 0000 -------

Ready for GLSA

------- Comment #16 From Sune Kloppenborg Jeppesen 2006-04-23 13:08:36 0000 -------

Thx ed.

GLSA 200604-14

mips, ia64 don't forget to mark stable to benifit from the GLSA.

Filename	Description	Type	Creator	Created	Size	Actions
dia-0.94_xfigoverflowfix.patch	/home/ed/dia-0.94_xfigoverflowfix.patch	patch	Eduardo Tongson	2006-03-30 07:14 0000	5.43 KB	Details \| Diff
dia-0.94_xfigoverflowfix.patch	dia-0.94_xfigoverflowfix.patch	patch	Eduardo Tongson	2006-03-30 07:36 0000	5.43 KB	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 128107 depends on:			Show dependency tree
Bug 128107 blocks:			Show dependency tree

Bugzilla Bug 128107

app-office/dia: Buffer overflow in xfig import (CVE-2006-1550)

Last modified: 2006-10-15 04:18:58 0000