DSA 847-1: New dia packages fix arbitrary code execution
Posted on: 10/08/2005 12:52 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 847-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 8th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : dia
Vulnerability : missing input sanitising
Problem type : local (remote)
Debian-specific: no
CVE ID : CAN-2005-2966
BugTraq ID : 15000
Debian Bug : 330890

Joxean Koret discovered that the Python SVG import plugin in dia, a
vector-oriented diagram editor, does not properly sanitise data read
from an SVG file and is hence vulnerable to execute arbitrary Python
code.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.94.0-7sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.94.0-15.

We recommend that you upgrade your dia package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1.dsc
Size/MD5 checksum: 1407 e852a784e57e6ccd455b4da297ae7c36
http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1.diff.gz
Size/MD5 checksum: 15763 4704a9ac297063f937a27b669b4f9c7f
http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0.orig.tar.gz
Size/MD5 checksum: 5241128 d2afdc10f55df29314250d98dbfd7a79

Architecture independent components:

http://security.debian.org/pool/updates/main/d/dia/dia-common_0.94.0-7sarge1_all.deb
Size/MD5 checksum: 2148988 a6aaf3822ae0323890b29fa9059b0185

Alpha architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_alpha.deb
Size/MD5 checksum: 222846 e2a858944403aaf7e2be0b55213494a1
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_alpha.deb
Size/MD5 checksum: 224378 49be5d481ac3b550c52422cdb1be6765
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_alpha.deb
Size/MD5 checksum: 729796 3b24c04e39a7c8b416dd504f4470be15

AMD64 architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_amd64.deb
Size/MD5 checksum: 193428 5d7b0041a851b5af1cb6273368551154
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_amd64.deb
Size/MD5 checksum: 195070 2c20715651206e8aadc5d1215ae03462
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_amd64.deb
Size/MD5 checksum: 659184 cd4ac2d216773979f2b03ec63976a6cb

ARM architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_arm.deb
Size/MD5 checksum: 173002 4c5d220bb555d014bd5dd5e6928f1493
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_arm.deb
Size/MD5 checksum: 174468 0c31ec33766fac82bf005c43b5f6a9ac
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_arm.deb
Size/MD5 checksum: 552166 a7aa7e3699ae090ab67ad9d3195755f3

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_i386.deb
Size/MD5 checksum: 184330 4f69a644c2ac8f97a5a81fdf3e1146b5
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_i386.deb
Size/MD5 checksum: 185734 fc75348b11fe90abb7568c95ee3ba333
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_i386.deb
Size/MD5 checksum: 591844 06e9aad469c243ac472aac861ee98ef5

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_ia64.deb
Size/MD5 checksum: 263706 173b29cc71d5f815a251cd0054898c1e
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_ia64.deb
Size/MD5 checksum: 265022 91db1802a98dcb9c199bbe60c3c7a377
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_ia64.deb
Size/MD5 checksum: 919608 0277be2023d768feb15e4b30941bc878

HP Precision architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_hppa.deb
Size/MD5 checksum: 200672 7d122a717ef54af4dd7a96b8664ade44
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_hppa.deb
Size/MD5 checksum: 202164 8215bf17aab46573dc1efec74610b4f4
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_hppa.deb
Size/MD5 checksum: 774842 852b861d4d643e13394521a86adbb227

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_m68k.deb
Size/MD5 checksum: 160638 78a7eba8343578b099b72339664017ab
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_m68k.deb
Size/MD5 checksum: 162340 0af833a6b2696562061030bf15dbbb8e
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_m68k.deb
Size/MD5 checksum: 583354 7e8ae3d03bcfff9ec1d0212ae95f9fdc

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_mips.deb
Size/MD5 checksum: 177636 8f160d6fa015e2ddb784fbdcc94a9228
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_mips.deb
Size/MD5 checksum: 179200 6e35a36fba03daf21da687705d409633
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_mips.deb
Size/MD5 checksum: 642424 9769855484e5b221e5a78df2a70d4b7b

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_mipsel.deb
Size/MD5 checksum: 176076 3166639d7c5a90468fcdc36602186278
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_mipsel.deb
Size/MD5 checksum: 177640 7d88dcd6bebb103e4f49981896301505
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_mipsel.deb
Size/MD5 checksum: 630812 a32265d64a09c7dae6d92f683e266a25

PowerPC architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_powerpc.deb
Size/MD5 checksum: 183314 c2a98325c9b505d7dc05232d3872be2d
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_powerpc.deb
Size/MD5 checksum: 184826 fc94a2ba1a9a9b6221134e92b549d239
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_powerpc.deb
Size/MD5 checksum: 674766 ee38feb593a6d53d3e45f67a1164400b

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_s390.deb
Size/MD5 checksum: 185236 ca4b69b30d59e32b435a41ac8159c89b
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_s390.deb
Size/MD5 checksum: 187036 c9ecdde728a3abdab38e5f6ced018619
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_s390.deb
Size/MD5 checksum: 649000 b6028520487207f11eafc65df0d40548

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/d/dia/dia_0.94.0-7sarge1_sparc.deb
Size/MD5 checksum: 175274 276a178671668aa9d061202163e99576
http://security.debian.org/pool/updates/main/d/dia/dia-gnome_0.94.0-7sarge1_sparc.deb
Size/MD5 checksum: 176704 85851e8f38f05e527f67375868efa5bd
http://security.debian.org/pool/updates/main/d/dia/dia-libs_0.94.0-7sarge1_sparc.deb
Size/MD5 checksum: 610434 e18ecc88091f7b39c6edf906e9313f1c


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDR2vdW5ql+IAeqTIRAo73AJ9waojIIN+oZ8Qe4IrGwcBXMOdlrgCfWGNZ
Te+ZaXeTibMlT0+AfZqQNd0=
=uNUG
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_847_1_new_dia_packages_fix_arbitrary_code_execution.html)