Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))

To: Thorsten Alteholz <debian@alteholz.de>
Subject: Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 11 Dec 2014 21:24:05 +0000
Message-id: <[🔎] handler.772648.D772648.14183328879763.ackdone@bugs.debian.org>
References: <E1XzBAp-0001Uq-81@franck.debian.org> <[🔎] 20141209144804.15150.59495.reportbug@mdlinux>

Your message dated Thu, 11 Dec 2014 21:21:23 +0000
with message-id <E1XzBAp-0001Uq-81@franck.debian.org>
and subject line Bug#772648: fixed in graphviz 2.26.3-5+squeeze3
has caused the Debian Bug report #772648,
regarding graphviz: format string vulnerability (CVE-2014-9157)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772648
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: graphviz: format string vulnerability (CVE-2014-9157)
From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Tue, 09 Dec 2014 09:48:04 -0500
Message-id: <[🔎] 20141209144804.15150.59495.reportbug@mdlinux>

Package: graphviz
Version: 2.38.0-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp5q_TKj/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Format string vulnerability may allow attackers to
    cause a denial of service or possibly execute code.
    - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
      lib/cgraph/scan.l yyerror() routine.
    - CVE-2014-9157


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	1969-12-31 19:00:00.000000000 -0500
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	2014-12-09 09:09:43.000000000 -0500
@@ -0,0 +1,21 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Author: Emden R. Gansner
+
+---
+ lib/cgraph/scan.l |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/lib/cgraph/scan.l
+===================================================================
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGERR,agxbuse(&xb));
++	agerr(AGERR, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series	2014-09-01 17:13:51.000000000 -0400
+++ graphviz-2.38.0/debian/patches/series	2014-12-09 09:09:43.000000000 -0500
@@ -11,3 +11,4 @@
 reduce-lab-color.patch
 add-libm-to-dot-link.patch
 versioned-plugin-config-file.diff
+CVE-2014-9157.patch

--- End Message ---

--- Begin Message ---

To: 772648-close@bugs.debian.org
Subject: Bug#772648: fixed in graphviz 2.26.3-5+squeeze3
From: Thorsten Alteholz <debian@alteholz.de>
Date: Thu, 11 Dec 2014 21:21:23 +0000
Message-id: <E1XzBAp-0001Uq-81@franck.debian.org>

Source: graphviz
Source-Version: 2.26.3-5+squeeze3

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Dec 2014 19:34:32 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-ocaml libgv-perl libgv-php5 libgv-python libgv-ruby libgv-tcl libgraph4 libcgraph5 libcdt4 libpathplan4 libgvc5 libgvc5-plugins-gtk libgvpr1 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all i386
Version: 2.26.3-5+squeeze3
Distribution: squeeze-lts
Urgency: high
Maintainer: David Claughton <dave@eclecticdave.com>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt4    - rich set of graph drawing tools - cdt library
 libcgraph5 - rich set of graph drawing tools - cgraph library
 libgraph4  - rich set of graph drawing tools - graph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-ocaml - OCaml bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - Php5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc5    - rich set of graph drawing tools - gvc library
 libgvc5-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr1   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes: 
 graphviz (2.26.3-5+squeeze3) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Add CVE-2014-9157.patch patch (Closes: #772648)
      Format string vulnerability in the yyerror function in
      lib/cgraph/scan.l in Graphviz allows remote attackers to
      have unspecified impact via format string specifiers in
      unknown vector, which are not properly handled in an
      error string.
Checksums-Sha1: 
 a707066acb990b15f60dffc82b9e42f5db3cbff5 2825 graphviz_2.26.3-5+squeeze3.dsc
 04503ac5a9eaa579859f0d017811fa245717edec 17092429 graphviz_2.26.3.orig.tar.gz
 d5b216c0bdeeeaa7cd04e0a9607ad2a9058d4def 51424 graphviz_2.26.3-5+squeeze3.debian.tar.gz
 16cb609adb329a60bb681d7676cbc542a317b893 2586184 graphviz-doc_2.26.3-5+squeeze3_all.deb
 fe50c9beed44d8fe0fb33ab3dbea59e75cc57d8b 48560 graphviz-dev_2.26.3-5+squeeze3_all.deb
 43fefc36b651c546bb735af10f79976e66541827 343712 graphviz_2.26.3-5+squeeze3_i386.deb
 ff9ab1092a2a961941f0309d6707393b6a3e3d9d 71238 libgv-guile_2.26.3-5+squeeze3_i386.deb
 e2b1a060294cb3746b844981dc16bcb4749e8805 79784 libgv-lua_2.26.3-5+squeeze3_i386.deb
 830591c79095b860a343532a935d7bc85647600e 77922 libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 efd38333c38a47e9978b2c5b9cd08059065172fe 96876 libgv-perl_2.26.3-5+squeeze3_i386.deb
 687434fb3f8fb230e5f8a563b88c1845b9340616 79318 libgv-php5_2.26.3-5+squeeze3_i386.deb
 69502e981915979f3a3a1295f95025de55587412 111608 libgv-python_2.26.3-5+squeeze3_i386.deb
 cb6e1f6a5b4adef78aaa4cbad75fa58380aee464 74700 libgv-ruby_2.26.3-5+squeeze3_i386.deb
 0ec61a2ac1ae83fe94217d8c02fe1ac2bd5aa075 615982 libgv-tcl_2.26.3-5+squeeze3_i386.deb
 3c7444dc14747c6a0206157578dbeefcd050eec6 70572 libgraph4_2.26.3-5+squeeze3_i386.deb
 fbe1742c68519a9e47434b456294c1f47cb25c08 81704 libcgraph5_2.26.3-5+squeeze3_i386.deb
 2488091c2ff412f6c7db246880c6bb8bfa3692b3 58330 libcdt4_2.26.3-5+squeeze3_i386.deb
 2000bcb0dd15f9be37843f9bbbd201075e69f6a5 62876 libpathplan4_2.26.3-5+squeeze3_i386.deb
 437f09fb5bc17d3cd766c166e31efef97c53d680 502638 libgvc5_2.26.3-5+squeeze3_i386.deb
 83a632a1f0dd4b55a87c5454638522c254d10c8c 60660 libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 f6c732869403e042d5f5d092c1dd2df63a1a59ab 234464 libgvpr1_2.26.3-5+squeeze3_i386.deb
 4d0bb561c0dd4277ebfd35d85f8d3d5c11c08d23 53258 libxdot4_2.26.3-5+squeeze3_i386.deb
 b1df594b1e1d383c6afbf6957597a77a313a6dc0 122170 libgraphviz-dev_2.26.3-5+squeeze3_i386.deb
Checksums-Sha256: 
 3377493430a5749eceb16af4dd87faeef763835acb98edc57c73e412c9183cd0 2825 graphviz_2.26.3-5+squeeze3.dsc
 f410996e69b1095237c2128deae5fc7b6ce99055b095271abb14447bc2f37fa1 17092429 graphviz_2.26.3.orig.tar.gz
 196d54f56e100b1c6c2cc461471b065c7cd2658d791b0c0c4d285a0799e4e963 51424 graphviz_2.26.3-5+squeeze3.debian.tar.gz
 3ddd424e96069eb26efb50004b7d69aa937ac6edf53832a208afca45deb69c8d 2586184 graphviz-doc_2.26.3-5+squeeze3_all.deb
 ceec6f2a0a74c6ccbea4ca5b95c20cc11af6ca8a54fbb1ea9a21b4d754db8d21 48560 graphviz-dev_2.26.3-5+squeeze3_all.deb
 09f1ae7c587865a99f782b9d537678d6258707ce6bb8e79725dbc68fa2e0d37a 343712 graphviz_2.26.3-5+squeeze3_i386.deb
 9fef889056bd132d7c58ab0ad1ec0dd64ee64005d5223b586064ddebfe7389eb 71238 libgv-guile_2.26.3-5+squeeze3_i386.deb
 24015c9031edd167e3ab77f41ae7500bddfa92bc93d4c9fad4c5f0018e85ddd1 79784 libgv-lua_2.26.3-5+squeeze3_i386.deb
 17013179ea142dd249590c6efc5dd79cea1e540ef8fef2764e3bdd3fbe4f3fd8 77922 libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 5cd3f0a4b173b65433fb4211be3f6f6eaed549dd056a0436c811b3197a7430a6 96876 libgv-perl_2.26.3-5+squeeze3_i386.deb
 7efe9bfd10006b8d929f75796ced8a58cc5a39ebdfea9d7a6635774d5018d3a4 79318 libgv-php5_2.26.3-5+squeeze3_i386.deb
 4cb02b04c7e40414313eca37a62568b794b848924391e96c119ede09c55c9eec 111608 libgv-python_2.26.3-5+squeeze3_i386.deb
 aa12ea2d6d7e211499ce4fa9209e70a849d812b468052e7a2878d0d39f6dc4e3 74700 libgv-ruby_2.26.3-5+squeeze3_i386.deb
 0f3cbbee4e7135c0ed566a07f96219695174f0d2a3ff2cb85e78481de584777f 615982 libgv-tcl_2.26.3-5+squeeze3_i386.deb
 32258ed7a739c6effa1a7806b49599e4403e10e06408504845d6a7b5f8877067 70572 libgraph4_2.26.3-5+squeeze3_i386.deb
 25476a8760c4dc070691415a21d5d167cb9bf9d3e8355453b25c469a858f6c53 81704 libcgraph5_2.26.3-5+squeeze3_i386.deb
 8cf31d52b13318db8be1f6f08c682a47f10f011a9a305347df9ea06f8a6502ea 58330 libcdt4_2.26.3-5+squeeze3_i386.deb
 f6d03ab4835e4fbf2e0ffbab221e6eeb423dc0976136d614e6ce41cbc0eebd2c 62876 libpathplan4_2.26.3-5+squeeze3_i386.deb
 fdaa39d205e49b2b6631fa514dfcef23cf63db1b1e3b7d5cf531590e47eb50e3 502638 libgvc5_2.26.3-5+squeeze3_i386.deb
 5e168853f0f930b45f55fb2372596e2ba5511381ca8cf78ac58d2745039d035d 60660 libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 41e0467c1b79a8f2e8ce62ea2de3e898c07aa18870bdcb2b025ed69167275d77 234464 libgvpr1_2.26.3-5+squeeze3_i386.deb
 267607e183f2ae970eec22faa2d59509b4854f0dce48d74a76f49da7bacff474 53258 libxdot4_2.26.3-5+squeeze3_i386.deb
 de3328afac0074134e45434ab0b0f46dd74c719ee0ad69f019facdde242aafe6 122170 libgraphviz-dev_2.26.3-5+squeeze3_i386.deb
Files: 
 da63a529b1efe124bc753ecff3fdeb39 2825 graphics optional graphviz_2.26.3-5+squeeze3.dsc
 6f45946fa622770c45609778c0a982ee 17092429 graphics optional graphviz_2.26.3.orig.tar.gz
 f9ddb4db402b415313817aa583949f1b 51424 graphics optional graphviz_2.26.3-5+squeeze3.debian.tar.gz
 8328b3607dcfa206762e0047369fe3b7 2586184 doc optional graphviz-doc_2.26.3-5+squeeze3_all.deb
 a3a32d0ae4ba8d4250156aa8467122e5 48560 devel optional graphviz-dev_2.26.3-5+squeeze3_all.deb
 57f37ac195a2c7e7d387ca9d9c6b0d59 343712 graphics optional graphviz_2.26.3-5+squeeze3_i386.deb
 07234b77636be3d9c2a00570d6a38ed3 71238 interpreters optional libgv-guile_2.26.3-5+squeeze3_i386.deb
 b412ed2fd03ee495fd44d12330e90265 79784 interpreters optional libgv-lua_2.26.3-5+squeeze3_i386.deb
 3d3692dd201f5b82101628d06c8b5fd0 77922 ocaml optional libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 ceac5136e4e524830d2081588d77fb0f 96876 perl optional libgv-perl_2.26.3-5+squeeze3_i386.deb
 307db06ab3ad250fc8d3b83e4cbc1872 79318 php optional libgv-php5_2.26.3-5+squeeze3_i386.deb
 c69d2690b2249de25fb2ae042caaaba0 111608 python optional libgv-python_2.26.3-5+squeeze3_i386.deb
 af651b44cd4dee88c1ab367a4c185338 74700 ruby optional libgv-ruby_2.26.3-5+squeeze3_i386.deb
 2db1b03f036392c0df366ef7fe45fe67 615982 interpreters optional libgv-tcl_2.26.3-5+squeeze3_i386.deb
 561040e0b58fbf05f2ed7b62a6aaaa13 70572 libs optional libgraph4_2.26.3-5+squeeze3_i386.deb
 8603639b439997fa1827612745281c0c 81704 libs optional libcgraph5_2.26.3-5+squeeze3_i386.deb
 8b54c0d2c441febbde5079e19f3d7a94 58330 libs optional libcdt4_2.26.3-5+squeeze3_i386.deb
 31634e45191b44bcc42eb54b40d41af2 62876 libs optional libpathplan4_2.26.3-5+squeeze3_i386.deb
 d38fc4851902ac5a802b62d4ad93447f 502638 libs optional libgvc5_2.26.3-5+squeeze3_i386.deb
 3a712552ffbd2a8e7d0ea37ea24bcbee 60660 libs optional libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 fa4cfb37925cd45f57ac474e5c58eabb 234464 libs optional libgvpr1_2.26.3-5+squeeze3_i386.deb
 452cca3ea258be52b649a8865aeaee3c 53258 libs optional libxdot4_2.26.3-5+squeeze3_i386.deb
 7e52bb4a63159f73ea09f07a34c7c25e 122170 libdevel optional libgraphviz-dev_2.26.3-5+squeeze3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUigVyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH3xMP/0tJWp8oG7TN9Qbx/Qz3jXhu
5URDfgUCbU+IAS+4f3MgVpHryYMDwpG30W0fR4iAhDG/R3my2ILllCxwNbQzB2VY
/UcFODDog0m62xLAz2eHHJzS1z9bNLwVj5QMRHkLEJqhzRm5wyKgNrkbFNB35Gqz
VUogu+gDMkagMb8iHjLlLnnkP2f5fD1191wKITHgxIDA5czlPd7oiiXpiP2o/uvX
bsCt5/vf+QX3dh1qK6R9Zi3XRP4JHA2bzkpQC+qUmONLAnW2BQeBpB3P4L/ZW2u1
0qAdB1CUNgJ3O08EJTp2ZFmJq6pBGpgVqXnv/pCZvc9W1Yrefzc8qWRld4P9S7tu
1NHjWYVrygwCowHVr7LLs0zDaPtK10kjhmL7VWKI5kcHX2BFg03KB5RuEN5DheWt
SucM6PCg0LKOSsvLrojEjlTl86W5Y0KXk0DErOuZ52C5pF4jzBP9uJNyyB0RZyBc
saHH1ULIBn3rPMf/rjqs/a9+bPp4zdhOZnwKi8BG+LWsmSpBjl0u4VUhLb3OsfiJ
d18+dxJgsZR7SInpW/MkebPaygi3D51eEq3Pm+pdxMbtYG+5ctv4g9YWEfbNyWf0
QGZqbBMbkSbER5wtcIqmi5CGVAPpI8CuFQSBi4SLNCyzMIJOecuu/xWeDFy7f0BQ
otoA3OUVOmVntnorh72A
=s64r
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#772648: graphviz: format string vulnerability (CVE-2014-9157)
  - From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

Prev by Date: mpfr4_3.1.2-2_amd64.changes ACCEPTED into unstable
Next by Date: Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
Previous by thread: Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
Next by thread: Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
Index(es):
- Date
- Thread