CVE-2006-2480
published 2006-05-19CVE-2006-2480: Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering…
PriorityP428medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
7.63%
93.8th percentile
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dia | < dia 0.95.0-4 (bookworm) | dia 0.95.0-4 (bookworm) |
| dia | dia | — | — |
| dia | dia | >= 0 < 0.95.0-4 | 0.95.0-4 |
| dia | dia | >= 0 < 0.95.0-4 | 0.95.0-4 |
| dia | dia | >= 0 < 0.95.0-4 | 0.95.0-4 |
| dia | dia | >= 0 < 0.95.0-4 | 0.95.0-4 |
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh6g-prc3-64gx: Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480
ghsa_unreviewed·2022-05-01·CVSS 5.1
CVE-2006-2453 [MEDIUM] CWE-134 GHSA-xh6g-prc3-64gx: Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480
Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
GHSA
GHSA-prr8-97x3-2662: Format string vulnerability in Dia 0
ghsa_unreviewed·2022-05-01
CVE-2006-2480 [MEDIUM] CWE-134 GHSA-prr8-97x3-2662: Format string vulnerability in Dia 0
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
OSV
CVE-2006-2453: Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480
osv·2006-05-28·CVSS 7.5
CVE-2006-2453 [HIGH] CVE-2006-2453: Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480
Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
OSV
CVE-2006-2480: Format string vulnerability in Dia 0
osv·2006-05-19·CVSS 5.1
CVE-2006-2480 [MEDIUM] CVE-2006-2480: Format string vulnerability in Dia 0
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
Ubuntu
Dia vulnerabilities
vendor_ubuntu·2006-05-24
CVE-2006-2480 Dia vulnerabilities
Title: Dia vulnerabilities
Summary: Dia vulnerabilities
Several format string vulnerabilities have been discovered in dia. By
tricking a user into opening a specially crafted dia file, or a
file with a specially crafted name, this could be exploited to execute
arbitrary code with the user's privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
security flaw
vendor_redhat·2006-05-06·CVSS 7.5
CVE-2006-2453 [HIGH] security flaw
security flaw
Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
Debian
CVE-2006-2453: dia - Multiple unspecified format string vulnerabilities in Dia have unspecified impac...
vendor_debian·2006·CVSS 7.5
CVE-2006-2453 [HIGH] CVE-2006-2453: dia - Multiple unspecified format string vulnerabilities in Dia have unspecified impac...
Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
Scope: local
bookworm: resolved (fixed in 0.95.0-4)
bullseye: resolved (fixed in 0.95.0-4)
forky: resolved (fixed in 0.95.0-4)
sid: resolved (fixed in 0.95.0-4)
trixie: resolved (fixed in 0.95.0-4)
Debian
CVE-2006-2480: dia - Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause ...
vendor_debian·2006·CVSS 5.1
CVE-2006-2480 [MEDIUM] CVE-2006-2480: dia - Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause ...
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
Scope: local
bookworm: resolved (fixed in 0.95.0-4)
bullseye: resolved (fixed in 0.95.0-4)
forky: resolved (fixed in 0.95.0-4)
sid: resolved (fixed in 0.95.0-4)
trixie: resolved (fixed in 0.95.0-4)
Red Hat
security flaw
vendor_redhat·2004-05-10·CVSS 5.1
CVE-2006-2480 [MEDIUM] security flaw
security flaw
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
No detection rules found.
Bugzilla
CVE-2006-2453 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2006-2453 [HIGH] CVE-2006-2453 security flaw
CVE-2006-2453 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
Bugzilla
CVE-2006-2480 security flaw
bugzilla·2018-08-16·CVSS 5.1
CVE-2006-2480 [MEDIUM] CVE-2006-2480 security flaw
CVE-2006-2480 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
Bugzilla
CVE-2006-2453 Additional dia format string flaws
bugzilla·2006-05-23·CVSS 5.1
CVE-2006-2453 [MEDIUM] CVE-2006-2453 Additional dia format string flaws
CVE-2006-2453 Additional dia format string flaws
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
Discussion:
Yes I know Hans de Goede thats me, the FE dia maintainer, thus also the person
to whom this bug got assigned :)
Anyways 0.95-3 has been build and published for FC-5 and devel fixing this.
---
Right, I added the text so nobody would mistakenly attribute me as the author of
the fix.
---
Have a question. If this has been fixed for FC5 (or, I guess the technically
correct moniker would be "FE5"), and this is a security issue -- so people who
need to know (and don't have yum automatically set to update their FC5 systems)
DO know that this has been fixed -- should there not b
Bugzilla
CVE-2006-2480 Dia format string issue (CVE-2006-2453)
bugzilla·2006-05-22·CVSS 7.5
CVE-2006-2480 [HIGH] CVE-2006-2480 Dia format string issue (CVE-2006-2453)
CVE-2006-2480 Dia format string issue (CVE-2006-2453)
Dia format string issue
Dia has a format string vulnerability in the way it displays error
messages. It is possible for a user to create a maliciou dia file
which could
http://marc.theaimsgroup.com/?l=vuln-dev&m=114713874920770&w=2
Thre is a fix in the upstream bug:
http://bugzilla.gnome.org/show_bug.cgi?id=342111
Discussion:
Created attachment 129852
Patch which fixes additional format string issues
---
The above patch fixes a number of additional format string issues discovered by
Hans de Goede and has been assigned the CVE id CVE-2006-2453
---
Created attachment 129875
A few more format string issues fixed.
---
oky doky, added. Built into 4E-errata, and
mkerrata-wrapper dist-4E-errata-candidate dia-0.94-5.7.1 has been run
Bugzilla
CVE-2006-2480 Dia format string issue (CVE-2006-2453)
bugzilla·2006-05-22·CVSS 7.5
CVE-2006-2480 [HIGH] CVE-2006-2480 Dia format string issue (CVE-2006-2453)
CVE-2006-2480 Dia format string issue (CVE-2006-2453)
Dia format string issue
Dia has a format string vulnerability in the way it displays error
messages. It is possible for a user to create a maliciou dia file
which could
http://marc.theaimsgroup.com/?l=vuln-dev&m=114713874920770&w=2
Thre is a fix in the upstream bug:
http://bugzilla.gnome.org/show_bug.cgi?id=342111
Discussion:
*** Bug 192538 has been marked as a duplicate of this bug. ***
---
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
---
*grumble*, backported 0.95 patch to 0.94. Pushing...
---
updated with new bits, re-pushing
---
dia-0.94-16.fc4 has been pushed for fc4, which should resolve this issue. If these
Bugzilla
CVE-2006-2480: dia format string vulnerability
bugzilla·2006-05-20·CVSS 5.1
CVE-2006-2480 [MEDIUM] CVE-2006-2480: dia format string vulnerability
CVE-2006-2480: dia format string vulnerability
+++ This bug was initially created as a clone of Bug #192535 +++
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480
Reproducer in GNOME Bugzilla, appears to affect 0.95 too:
http://bugzilla.gnome.org/show_bug.cgi?id=342111
The CVE notes that this may not be a vulnerability, but it is a reproducible
crash in any case. (Note: I haven't tested the FC4 package, but at least the
FE5 one has this problem.)
Discussion:
f-security-list: note that this is not in audit/fc4, I don't think I have
permissions to commit to that.
---
Please don't patch this issue yet. I plan to have a look through the dia source
for additional format string vulnerabilities (I seriously doubt this is the only
one).
---
This comment of mine collided with Joh
Bugzilla
CVE-2006-2480: dia format string vulnerability
bugzilla·2006-05-20·CVSS 5.1
CVE-2006-2480 [MEDIUM] CVE-2006-2480: dia format string vulnerability
CVE-2006-2480: dia format string vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480
Reproducer in GNOME Bugzilla, appears to affect 0.95 too:
http://bugzilla.gnome.org/show_bug.cgi?id=342111
The CVE notes that this may not be a vulnerability, but it is a reproducible
crash in any case.
Discussion:
Fixed using the patch attached to upstream's BZ (after checking / verifying it).
The fix has been imported into CVS, build and pushed for FC-5 and devel.
I assume the Security Response Team will take care of the security announcement?
And yes, this most definetly is a vulnerability. The current example of the
string format vulnerability is rather harmless, but I _think_ it will be
possbile to exploit this by getting people to open malformed files with dia.
http://bugzilla.gnome.org/show_bug.cgi?id=342111http://kandangjamur.net/tutorial/dia.txthttp://secunia.com/advisories/20199http://secunia.com/advisories/20254http://secunia.com/advisories/20339http://secunia.com/advisories/20422http://secunia.com/advisories/20457http://secunia.com/advisories/20513http://securitytracker.com/id?1016203http://www.gentoo.org/security/en/glsa/glsa-200606-03.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:093http://www.novell.com/linux/security/advisories/2006-06-02.htmlhttp://www.osvdb.org/25699http://www.redhat.com/support/errata/RHSA-2006-0541.htmlhttp://www.securityfocus.com/archive/82/433313/30/0/threadedhttp://www.securityfocus.com/bid/18078http://www.vupen.com/english/advisories/2006/1908https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11224https://usn.ubuntu.com/286-1/http://bugzilla.gnome.org/show_bug.cgi?id=342111http://kandangjamur.net/tutorial/dia.txthttp://secunia.com/advisories/20199http://secunia.com/advisories/20254http://secunia.com/advisories/20339http://secunia.com/advisories/20422http://secunia.com/advisories/20457http://secunia.com/advisories/20513http://securitytracker.com/id?1016203http://www.gentoo.org/security/en/glsa/glsa-200606-03.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:093http://www.novell.com/linux/security/advisories/2006-06-02.htmlhttp://www.osvdb.org/25699http://www.redhat.com/support/errata/RHSA-2006-0541.htmlhttp://www.securityfocus.com/archive/82/433313/30/0/threadedhttp://www.securityfocus.com/bid/18078http://www.vupen.com/english/advisories/2006/1908https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11224https://usn.ubuntu.com/286-1/
2006-05-19
Published