Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133699 - app-office/dia: format string or buffer overflow (CVE-2006-2480)
Summary: app-office/dia: format string or buffer overflow (CVE-2006-2480)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] DerCorny
Depends on: 130742
  Show dependency tree
Reported: 2006-05-18 08:43 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-10-15 04:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 08:43:49 UTC
Stack trace:

Other information:
I can confirm the problem, but I cannot confirm original report analysis:

vsprintf (buf, fmt, *args2) correctly returns:
 buf = (gchar *) 0xebb4a0 "Failed to load:\nImage file '%p%p%p%p.bmp' contains
no data"

The real problem seems to be message_create_dialog(), which provides the string
message_format to gtk_message_dialog_new(), which is defined as
GtkWidget*  gtk_message_dialog_new          (GtkWindow *parent,
                                             GtkDialogFlags flags,
                                             GtkMessageType type,
                                             GtkButtonsType buttons,
                                             const gchar *message_format,

Affected are all versions except the old ones using gtk_label_new()

I am not sure about correctness of alloc = nearest_pow (MAX(len + 1, 1024));
Maybe 1024 should be MAXPATHLEN.

And I don't know, why exactly there are two variables with the same varargs
contents - one is analysed to get the proper length, one is used for
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-18 08:56:01 UTC
gnome-office please provide fixed ebuilds, thank you.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-25 12:07:24 UTC
any news?
Comment 3 John N. Laliberte (RETIRED) gentoo-dev 2006-05-30 09:06:41 UTC
new ebuild (dia-0.95.1.ebuild) in tree, fix for this sec bug should be in this version.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 09:10:16 UTC
Thanks a lot John.

Arches please test dia-0.95.1 and mark stable, thanks.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-30 11:03:02 UTC
ppc stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-05-30 12:27:00 UTC
stable on ppc64
Comment 7 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-30 13:11:35 UTC
Stable on amd64 and x86...
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-30 14:23:24 UTC
sparc stable.
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-05-31 10:13:57 UTC
alpha done.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 10:43:30 UTC
GLSA 200606-03

ia64 don't forget to mark stable to benifit from the GLSA.