From martin.pitt@canonical.com Tue Oct 4 08:23:03 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Tue, 4 Oct 2005 14:20:20 +0200 Subject: [Full-disclosure] [USN-193-1] dia vulnerability =========================================================== Ubuntu Security Notice USN-193-1 October 04, 2005 dia vulnerability CAN-2005-2966 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: dia-common The problem can be corrected by upgrading the affected package to version 0.94.0-5ubuntu1.1. After a standard system upgrade you have to restart dia to effect the necessary changes. Details follow: Joxean Koret discovered that the SVG import plugin did not properly sanitise data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia_0.94.0-5ubuntu1.1.diff.gz Size/MD5: 14159 e9704dd46e24cb3cd11874a499692b6e http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia_0.94.0-5ubuntu1.1.dsc Size/MD5: 1408 9d47820c11fde0876377ec119bdd6a7e http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia_0.94.0.orig.tar.gz Size/MD5: 5241128 d2afdc10f55df29314250d98dbfd7a79 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-common_0.94.0-5ubuntu1.1_all.deb Size/MD5: 2148620 255d09ecefe04651433da82730b2b17d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ubuntu1.1_amd64.deb Size/MD5: 194718 c8d54ed3e5ac7a0cc006a951e08be9d0 http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubuntu1.1_amd64.deb Size/MD5: 658936 b80672bede2ca8081017f0a9dc70a483 http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubuntu1.1_amd64.deb Size/MD5: 193040 ed010c5c285236d0306f3faf1a31142d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ubuntu1.1_i386.deb Size/MD5: 176774 dbfd08f4eb1a3ac2c03708f642e0b669 http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubuntu1.1_i386.deb Size/MD5: 579934 2f8e713d629000abccb740c17e108b01 http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubuntu1.1_i386.deb Size/MD5: 175298 2b760f4256be15ee369b300dc46d6d94 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ubuntu1.1_powerpc.deb Size/MD5: 184416 1f3ee515f8addd2716141de23dc66833 http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubuntu1.1_powerpc.deb Size/MD5: 674436 7988c9c44120c67552248aedb5129b67 http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubuntu1.1_powerpc.deb Size/MD5: 182920 411970ed6af036ebd895b7f8659f9944 [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/