Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
Summary: CVE-2006-2453 Additional dia format string flaws Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: dia AssignedTo: j.w.r.degoede@hhs.nl ReportedBy: bressers@redhat.com QAContact: extras-qa@fedoraproject.org CC: extras-qa@fedoraproject.org,fedora-security- list@redhat.com
A number of additional format string issues were discovered by Hans de Goede and has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
j.w.r.degoede@hhs.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.95-3
------- Additional Comments From j.w.r.degoede@hhs.nl 2006-05-23 15:27 EST ------- Yes I know Hans de Goede thats me, the FE dia maintainer, thus also the person to whom this bug got assigned :)
Anyways 0.95-3 has been build and published for FC-5 and devel fixing this.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From bressers@redhat.com 2006-05-23 16:39 EST ------- Right, I added the text so nobody would mistakenly attribute me as the author of the fix.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
deisenst@gtw.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bugs@fedoralegacy.org
------- Additional Comments From deisenst@gtw.net 2006-05-27 19:24 EST ------- Have a question. If this has been fixed for FC5 (or, I guess the technically correct moniker would be "FE5"), and this is a security issue -- so people who need to know (and don't have yum automatically set to update their FC5 systems) DO know that this has been fixed -- should there not be an announcement for this fix and the CVE-2006-2480 fix (in Bug 192535) published to the fedora-package-announce list, like Caolan McNamara's announcement here?:
http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.htm...
Not everybody has yum working to automatically update their FC5 installs, so unless there is an announcement somewhere, how will they know to update their dia to dia-0.95-3??
Another unrelated question: Do you mind if we in Fedora Legacy backport the fixes you made for maintaining the older legacy versions of dia? If so, may we include you, Hans, in the cc: list for such a bugzilla entry? The open Bugzilla Bug Fedora Legacy has for dia currently is Bug #190942, in which we also discovered that the CVE-2005-2966 may not have been covered either here, in FC, or in RHEL... (This CVE may not affect FedoraExtras, but may affect Fedora Core 4, RHEL 4/3/2.x?...)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
deisenst@gtw.net changed:
What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |190942 nThis| |
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From j.w.r.degoede@hhs.nl 2006-05-28 05:49 EST ------- (In reply to comment #3)
Have a question. If this has been fixed for FC5 (or, I guess the technically correct moniker would be "FE5"), and this is a security issue -- so people who need to know (and don't have yum automatically set to update their FC5 systems) DO know that this has been fixed -- should there not be an announcement for this fix and the CVE-2006-2480 fix (in Bug 192535) published to the fedora-package-announce list, like Caolan McNamara's announcement here?:
http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.htm...
Not everybody has yum working to automatically update their FC5 installs, so unless there is an announcement somewhere, how will they know to update their dia to dia-0.95-3??
I agree, An announcement should be sent for this and for bug 192535. I've asked the Fedora Security Response Team to post such an announcement in bug 192535, but no response sofar.
Another unrelated question: Do you mind if we in Fedora Legacy backport the fixes you made for maintaining the older legacy versions of dia?
Not at all I've also submitted the patch upstream where it has been committed into CVS as far as I'm concerned the patch is under the same license as dia.
If so, may we include you, Hans, in the cc: list for such a bugzilla entry? The open Bugzilla Bug Fedora Legacy has for dia currently is Bug #190942
Feel free to add me to the CC.
In which we also discovered that the CVE-2005-2966 may not have been covered either here, in FC, or in RHEL... (This CVE may not affect FedoraExtras, but may affect Fedora Core 4, RHEL 4/3/2.x?...)
I think this CVE was 0.95 pre release specific, but I'm not sure I did a diff between the affected and the unaffected dia 0.95-pre releases and both the total diff and the relevant part of the diff were small and the fix was small and sane, unfortunatly I didn't keep the fix around as a seperate patch, but backporting it if it does affect older versions should be simple.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From dennis@ausil.us 2006-05-28 12:14 EST ------- (In reply to comment #4)
I agree, An announcement should be sent for this and for bug 192535. I've
asked
the Fedora Security Response Team to post such an announcement in bug
192535,
but no response sofar.
Hans, you need to send your own announcements. post them to the list and Jesse Keating will review and send it through.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From j.w.r.degoede@hhs.nl 2006-05-28 13:08 EST ------- Ok,
Template?
Also is this procedure described anywhere? If I don't know while I'm subscribed to fedora-security-list and somewhat interested security I doubt many others know.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From dennis@ausil.us 2006-05-28 13:13 EST ------- https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00095.ht...
thats from what i sent for kphone. this is something that is not described anywhere. The three announcements I sent for kphone are the only extras announcements ever. I would base it on that.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From ville.skytta@iki.fi 2006-05-28 13:23 EST ------- I don't think anyone knows more about the status of announcements/templates than what was recently discussed in the thread starting from https://www.redhat.com/archives/fedora-security-list/2006-May/msg00066.html
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From ville.skytta@iki.fi 2006-06-29 08:50 EST ------- Hans, this is still marked as VULNERABLE in audit/fe5. Could you update the status in it as appropriate?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From j.w.r.degoede@hhs.nl 2006-06-29 08:56 EST ------- I cannot do that because I don't have the rights todo that I'm not a Security Response team member (by choice).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
------- Additional Comments From ville.skytta@iki.fi 2006-06-29 09:00 EST ------- Oops, sorry, memory didn't serve me well. I'll take care of it.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2453 Additional dia format string flaws
https://bugzilla.redhat.com/show_bug.cgi?id=192830
bugzilla@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |medium Priority|normal |medium Product|Fedora Extras |Fedora
security@lists.fedoraproject.org