aru Posted May 31, 2006 Report Share Posted May 31, 2006 Mandriva Advisories MDKSA-2006:093 : dia Updated dia packages fix string format vulnerabilities. May 30th, 2006 A format string vulnerability in Dia allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms inputs that are automatically process by Dia, such as a crafted .dia file. (CVE-2006-2480) Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480. (CVE-2006-2453) Packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2006:093 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2453 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2006/05/25 20:55:43 aru Exp aru $) Link to comment Share on other sites More sharing options...
Recommended Posts