Bug#368202: sarge: dia: CVE-2006-2480 and CVE-2006-2453: format string vulnerability

Roland Stigge Sun, 04 Jun 2006 08:53:08 -0700

Hi,

besides the upload to unstable, I've backported the upstream patch for
#368202. See attachment.


Feel free to upload if appropriate.

Thanks,

Roland

diff -ruN dia-0.94.0.orig/app/app_procs.c dia-0.94.0/app/app_procs.c
--- dia-0.94.0.orig/app/app_procs.c	2006-06-04 15:33:05.000000000 +0200
+++ dia-0.94.0/app/app_procs.c	2006-06-04 15:33:56.000000000 +0200
@@ -879,22 +879,22 @@
 
       g_print(_("The original author of Dia was:\n\n"));
       for (i = 0; i < NUMBER_OF_ORIG_AUTHORS; i++) {
-          g_print(authors[i]); g_print("\n");
+          g_print("%s\n", authors[i]);
       }
 
       g_print(_("\nThe current maintainers of Dia are:\n\n"));
       for (i = NUMBER_OF_ORIG_AUTHORS; i < NUMBER_OF_ORIG_AUTHORS + NUMBER_OF_MAINTAINERS; i++) {
-	  g_print(authors[i]); g_print("\n");
+	  g_print("%s\n", authors[i]);
       }
 
       g_print(_("\nOther authors are:\n\n"));
       for (i = NUMBER_OF_ORIG_AUTHORS + NUMBER_OF_MAINTAINERS; i < nauthors; i++) {
-          g_print(authors[i]); g_print("\n");
+          g_print("%s\n", authors[i]);
       }
 
       g_print(_("\nDia is documented by:\n\n"));
       for (i = 0; i < ndocumentors; i++) {
-          g_print(documentors[i]); g_print("\n");
+          g_print("%s\n", documentors[i]);
       }
 
       exit(0);
diff -ruN dia-0.94.0.orig/app/display.c dia-0.94.0/app/display.c
--- dia-0.94.0.orig/app/display.c	2004-08-16 09:56:03.000000000 +0200
+++ dia-0.94.0/app/display.c	2006-06-04 15:51:00.000000000 +0200
@@ -968,7 +968,6 @@
   Diagram *dia;
   GtkWidget *dialog, *button;
   gchar *fname;
-  gchar *msg;
 
   dia = ddisp->diagram;
   
@@ -981,18 +980,16 @@
   fname = dia->filename;
   if (!fname)
     fname = _("<unnamed>");
-  msg = g_strdup_printf (
-          _("The diagram '%s'\n"
-            "has not been saved. Save changes now?"),
-	  fname);
 
   dialog = gtk_message_dialog_new(GTK_WINDOW (ddisp->shell), 
                                   GTK_DIALOG_MODAL,
                                   GTK_MESSAGE_QUESTION,
                                   GTK_BUTTONS_NONE, /* no standard buttons */
-				  msg,
+				  _("Closing diagram without saving"),
                                   NULL);
-  g_free (msg);
+  gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(dialog),
+    _("The diagram '%s'\n"
+      "has not been saved. Save changes now?"), fname);
   gtk_window_set_title (GTK_WINDOW(dialog), _("Close Diagram"));
 
   button = gtk_button_new_from_stock (GTK_STOCK_CANCEL);
diff -ruN dia-0.94.0.orig/app/filedlg.c dia-0.94.0/app/filedlg.c
--- dia-0.94.0.orig/app/filedlg.c	2004-08-16 09:56:03.000000000 +0200
+++ dia-0.94.0/app/filedlg.c	2006-06-04 16:04:10.000000000 +0200
@@ -251,7 +251,6 @@
 
   if (stat(filename, &stat_struct) == 0) {
     GtkWidget *dialog = NULL;
-    char buffer[300];
     char *utf8filename = NULL;
     if (!g_utf8_validate(filename, -1, NULL)) {
       utf8filename = g_filename_to_utf8(filename, -1, NULL, NULL, NULL);
@@ -261,16 +260,14 @@
     }
     if (utf8filename == NULL) utf8filename = g_strdup(filename);
 
-    g_snprintf(buffer, 300,
-	       _("The file '%s' already exists.\n"
-		 "Do you want to overwrite it?"), utf8filename);
-    g_free(utf8filename);
-
     dialog = gtk_message_dialog_new (GTK_WINDOW(fs),
                                      GTK_DIALOG_MODAL, GTK_MESSAGE_QUESTION,
                                      GTK_BUTTONS_YES_NO,
-                                     buffer);
-    gtk_window_set_title (GTK_WINDOW (dialog), _("File already exists"));
+                                     _("File already exists"));
+    gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(dialog),
+      _("The file '%s' already exists.\n"
+        "Do you want to overwrite it?"), utf8filename);
+    g_free(utf8filename);
     gtk_dialog_set_default_response (GTK_DIALOG (dialog), GTK_RESPONSE_YES);
 
     if (gtk_dialog_run (GTK_DIALOG (dialog)) != GTK_RESPONSE_YES) {
@@ -442,17 +439,15 @@
 
   if (stat(filename, &statbuf) == 0) {
     GtkWidget *dialog = NULL;
-    char buffer[300];
 
-    g_snprintf(buffer, 300,
-	       _("The file '%s' already exists.\n"
-		 "Do you want to overwrite it?"), filename);
     dialog = gtk_message_dialog_new (GTK_WINDOW(fs),
                                      GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT, 
 				     GTK_MESSAGE_QUESTION,
                                      GTK_BUTTONS_YES_NO,
-                                     buffer);
-    gtk_window_set_title (GTK_WINDOW (dialog), _("File already exists"));
+                                     _("File already exists"));
+    gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(dialog),
+      _("The file '%s' already exists.\n"
+        "Do you want to overwrite it?"), filename);
     gtk_dialog_set_default_response (GTK_DIALOG (dialog), GTK_RESPONSE_YES);
 
     if (gtk_dialog_run (GTK_DIALOG (dialog)) != GTK_RESPONSE_YES) {
diff -ruN dia-0.94.0.orig/app/load_save.c dia-0.94.0/app/load_save.c
--- dia-0.94.0.orig/app/load_save.c	2004-08-16 09:56:03.000000000 +0200
+++ dia-0.94.0/app/load_save.c	2006-06-04 15:33:56.000000000 +0200
@@ -199,7 +199,7 @@
     g_hash_table_foreach(unknown_hash,
 			 GHFuncUnknownObjects,
 			 unknown_str);
-    message_error(unknown_str->str);
+    message_error("%s", unknown_str->str);
   }
   g_hash_table_destroy(unknown_hash);
   g_string_free(unknown_str, TRUE);
diff -ruN dia-0.94.0.orig/app/sheets.c dia-0.94.0/app/sheets.c
--- dia-0.94.0.orig/app/sheets.c	2004-08-16 09:56:03.000000000 +0200
+++ dia-0.94.0/app/sheets.c	2006-06-04 16:07:45.000000000 +0200
@@ -338,7 +338,7 @@
         gdk_pixbuf_render_pixmap_and_mask(pixbuf, pixmap, mask, 1.0);
         gdk_pixbuf_unref(pixbuf);
       } else {
-        g_warning (error->message);
+        g_warning ("%s", error->message);
         g_error_free (error);
       }
     }
diff -ruN dia-0.94.0.orig/debian/changelog dia-0.94.0/debian/changelog
--- dia-0.94.0.orig/debian/changelog	2006-06-04 15:33:05.000000000 +0200
+++ dia-0.94.0/debian/changelog	2006-06-04 16:15:31.000000000 +0200
@@ -1,3 +1,10 @@
+dia (0.94.0-7sarge4) stable-security; urgency=high
+
+  * Applied upstream format string fixes: CVE-2006-2480 and CVE-2006-2453
+    (Closes: #368202)
+
+ -- Roland Stigge <[EMAIL PROTECTED]>  Sun,  4 Jun 2006 16:14:35 +0200
+
 dia (0.94.0-7sarge3) stable-security; urgency=medium
 
   * Non-maintainer upload by the Security Team
diff -ruN dia-0.94.0.orig/lib/message.c dia-0.94.0/lib/message.c
--- dia-0.94.0.orig/lib/message.c	2004-08-16 09:56:07.000000000 +0200
+++ dia-0.94.0/lib/message.c	2006-06-04 15:33:56.000000000 +0200
@@ -86,7 +86,7 @@
 				   0,    /* GtkDialogFlags */
 				   type,
 				   GTK_BUTTONS_CLOSE,
-				   buf);
+				   "%s", buf);
   if (title) {
     gchar *real_title;
 
diff -ruN dia-0.94.0.orig/plug-ins/python/diamodule.c dia-0.94.0/plug-ins/python/diamodule.c
--- dia-0.94.0.orig/plug-ins/python/diamodule.c	2004-08-16 09:56:20.000000000 +0200
+++ dia-0.94.0/plug-ins/python/diamodule.c	2006-06-04 15:33:56.000000000 +0200
@@ -377,11 +377,11 @@
 	return NULL;
 
     if (0 == type)
-	message_notice (text);
+	message_notice ("%s", text);
     else if (1 == type)
-	message_warning (text);
+	message_warning ("%s", text);
     else
-	message_error (text);
+	message_error ("%s", text);
 
     Py_INCREF(Py_None);
     return Py_None;
diff -ruN dia-0.94.0.orig/plug-ins/wmf/wmf.cpp dia-0.94.0/plug-ins/wmf/wmf.cpp
--- dia-0.94.0.orig/plug-ins/wmf/wmf.cpp	2004-08-16 09:56:21.000000000 +0200
+++ dia-0.94.0/plug-ins/wmf/wmf.cpp	2006-06-04 15:33:56.000000000 +0200
@@ -223,7 +223,7 @@
     va_end (args);
 
     //fprintf(renderer->file, string);
-    g_print(string);
+    g_print("%s", string);
 
     g_free(string);
 }

Bug#368202: sarge: dia: CVE-2006-2480 and CVE-2006-2453: format string vulnerability

Reply via email to