Bug#772648: graphviz: format string vulnerability (CVE-2014-9157)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#772648: graphviz: format string vulnerability (CVE-2014-9157)
From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Tue, 09 Dec 2014 09:48:04 -0500
Message-id: <[🔎] 20141209144804.15150.59495.reportbug@mdlinux>
Reply-to: Marc Deslauriers <marc.deslauriers@ubuntu.com>, 772648@bugs.debian.org

Package: graphviz
Version: 2.38.0-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp5q_TKj/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Format string vulnerability may allow attackers to
    cause a denial of service or possibly execute code.
    - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
      lib/cgraph/scan.l yyerror() routine.
    - CVE-2014-9157


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	1969-12-31 19:00:00.000000000 -0500
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	2014-12-09 09:09:43.000000000 -0500
@@ -0,0 +1,21 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Author: Emden R. Gansner
+
+---
+ lib/cgraph/scan.l |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/lib/cgraph/scan.l
+===================================================================
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGERR,agxbuse(&xb));
++	agerr(AGERR, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series	2014-09-01 17:13:51.000000000 -0400
+++ graphviz-2.38.0/debian/patches/series	2014-12-09 09:09:43.000000000 -0500
@@ -11,3 +11,4 @@
 reduce-lab-color.patch
 add-libm-to-dot-link.patch
 versioned-plugin-config-file.diff
+CVE-2014-9157.patch

Reply to:

Follow-Ups:
- Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Zitzakken en beanbags voor Kerstmis!
Next by Date: Bug#772658: proll: build-depends on sparc-utils
Previous by thread: Zitzakken en beanbags voor Kerstmis!
Next by thread: Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))
Index(es):
- Date
- Thread