Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 128107

Summary: app-office/dia: Buffer overflow in xfig import (CVE-2006-1550)
Product: Gentoo Security Reporter: Eduardo Tongson <propolice>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: csy150, gnome-office+disabled, gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
Whiteboard: B2 [glsa] ed
Package list:
Runtime testing required: ---
Attachments:
Description Flags
/home/ed/dia-0.94_xfigoverflowfix.patch
none
dia-0.94_xfigoverflowfix.patch none

Description Eduardo Tongson 2006-03-30 07:03:40 UTC 
A voluntary security review of the importers by infamous41md has turned
up three buffer overflow errors in the xfig import code.  These errors
have existed since the code was first created in version 0.87, but are
corrected as of version 0.95-pre6.  The attached patch fixes them for
version 0.94.
Comment 1 Eduardo Tongson 2006-03-30 07:14:06 UTC 
Created attachment 83432 [details, diff]
/home/ed/dia-0.94_xfigoverflowfix.patch

extracted a working patch from the advisory
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-30 07:22:22 UTC 
gnome-office please provide fixed ebuilds. you can find a patch in the URL of this bug.
Comment 3 Eduardo Tongson 2006-03-30 07:36:54 UTC 
Created attachment 83434 [details, diff]
dia-0.94_xfigoverflowfix.patch

fixed a typo
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-04-01 10:18:58 UTC 
*** Bug 128386 has been marked as a duplicate of this bug. ***
Comment 5 Eduardo Tongson 2006-04-08 02:14:38 UTC 
Can anybody with commit privs please update the current stable ebuild (dia-0.94-r3) to add an epatch line for the attachment/patch. Thanks
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:21:56 UTC 
gnome-office, please bump or we may have to mask it.
Comment 7 John N. Laliberte (RETIRED) gentoo-dev 2006-04-20 14:42:07 UTC 
The patch was missing the segment below but -r5 is now committed with the patch.

--- dia-0.94/plug-ins/xfig/xfig.h       2004-08-16 03:56:21.000000000 -0400
+++ dia-0.94.new/plug-ins/xfig/xfig.h   2006-04-20 17:19:28.000000000 -0400
@@ -6,6 +6,7 @@

 #define FIG_MAX_DEFAULT_COLORS 32
 #define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
 /* 1200 PPI */
 #define FIG_UNIT 472.440944881889763779527559055118
 /* 1/80 inch */
Comment 8 Thomas Cort (RETIRED) gentoo-dev 2006-04-20 18:37:48 UTC 
dia-0.94-r5 stable on alpha.
Comment 9 Matthias Langer 2006-04-20 19:26:57 UTC 
I've done some testing with dia-0.94-r5 [-debug +gnome +png +python -static +zlib] on x86. A really nice application that seems to work fine (i wish i had discovered this app a few weeks earlier) ...

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686)
=================================================================
System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inode.at/ "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css cups curl dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame ffmpeg firefox flac foomaticdb fortran gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png pppd python quicktime readline real reflection ruby sdl session slang speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
Comment 10 Jason Wever (RETIRED) gentoo-dev 2006-04-20 20:38:12 UTC 
Stable on SPARC.
Comment 11 Chris Gianelloni (RETIRED) gentoo-dev 2006-04-21 06:32:07 UTC 
...and x86 is done
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-21 10:00:56 UTC 
ppc stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2006-04-22 00:09:52 UTC 
ppc64 stable
Comment 14 Thomas Cort (RETIRED) gentoo-dev 2006-04-22 04:59:39 UTC 
amd64 stable.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 10:58:02 UTC 
Ready for GLSA
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-23 13:08:36 UTC 
Thx ed.

GLSA 200604-14

mips, ia64 don't forget to mark stable to benifit from the GLSA.