Dia Format String Bugs May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016203
|
|
SecurityTracker URL: http://securitytracker.com/id?1016203
|
|
CVE Reference: CVE-2006-2453
, CVE-2006-2480
(Links to External Site)
|
|
OSVDB Reference: 25699
(Links to External Site)
|
Date: Jun 2 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 0.95, possibly other versions
|
Description: A vulnerability was reported in Dia. A remote user may be able to cause arbitrary code to be executed on the target user's system.
A remote user can create a file with a specially crafted filename. When the target user opens the file using Dia, a format string
flaw will be triggered and arbitrary code may be executed [CVE-2006-2480]. KaDaL-X reported this vulnerability.
Other format
string vulnerabilities also exist [CVE-2006-2453]. Hans de Goede discovered these vulnerabilities.
|
Impact: A remote user can create a file that, when processed by the target user with Dia, will cause arbitrary code to be executed on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.gnome.org/projects/dia/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 1 Jun 2006 23:14:18 -0400
Subject: Dia format string vulnerabilities.
|
CVE-2006-2453
CVE-2006-2480
|
|
