[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))

Your message dated Wed, 10 Dec 2014 16:20:22 +0000
with message-id <E1Xyjzy-00074e-K0@franck.debian.org>
and subject line Bug#772648: fixed in graphviz 2.38.0-7
has caused the Debian Bug report #772648,
regarding graphviz: format string vulnerability (CVE-2014-9157)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772648
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: graphviz
Version: 2.38.0-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp5q_TKj/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Format string vulnerability may allow attackers to
    cause a denial of service or possibly execute code.
    - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
      lib/cgraph/scan.l yyerror() routine.
    - CVE-2014-9157


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	1969-12-31 19:00:00.000000000 -0500
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	2014-12-09 09:09:43.000000000 -0500
@@ -0,0 +1,21 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Author: Emden R. Gansner
+
+---
+ lib/cgraph/scan.l |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/lib/cgraph/scan.l
+===================================================================
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGERR,agxbuse(&xb));
++	agerr(AGERR, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series	2014-09-01 17:13:51.000000000 -0400
+++ graphviz-2.38.0/debian/patches/series	2014-12-09 09:09:43.000000000 -0500
@@ -11,3 +11,4 @@
 reduce-lab-color.patch
 add-libm-to-dot-link.patch
 versioned-plugin-config-file.diff
+CVE-2014-9157.patch

--- End Message ---
--- Begin Message --- 
Source: graphviz
Source-Version: 2.38.0-7

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Dec 2014 07:21:52 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-perl libgv-php5 libgv-python libgv-ruby libgv-tcl libcgraph6 libcdt5 libpathplan4 libgvc6 libgvc6-plugins-gtk libgvpr2 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all amd64
Version: 2.38.0-7
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt5    - rich set of graph drawing tools - cdt library
 libcgraph6 - rich set of graph drawing tools - cgraph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - PHP5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc6    - rich set of graph drawing tools - gvc library
 libgvc6-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr2   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes:
 graphviz (2.38.0-7) unstable; urgency=high
 .
   * QA upload.
   * Add CVE-2014-9157.patch.
     Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
     which may allow attackers to cause a denial of service or possibly
     execute code.
     Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
Checksums-Sha1:
 87634a814ed50be84162a6eac6680557c3b46eab 3266 graphviz_2.38.0-7.dsc
 474bc72dbfe825de9686c88fcad9ab5083ad98e9 44120 graphviz_2.38.0-7.debian.tar.xz
 3bf11ea7a149d25ca177b17b0506930c92fcc62a 3617592 graphviz-doc_2.38.0-7_all.deb
 c06b69d006c39aa4b2402c7c301ecc09449acee0 51272 graphviz-dev_2.38.0-7_all.deb
Checksums-Sha256:
 62883ac0dd3915c6cf67cda5cadd8c6423314c004bd791b781618d8743674bdc 3266 graphviz_2.38.0-7.dsc
 312ab8215fbe1800664675cfc284aecfeff3ce699407523b5bdefee64cf1a53c 44120 graphviz_2.38.0-7.debian.tar.xz
 5e25a05d8833795d1f1757b6c275c37e3c7fa70e8e3786dfac2862adb66156e6 3617592 graphviz-doc_2.38.0-7_all.deb
 6a375986810b4086356a3f1a14096c8ec3452a5b9882bce04ef3339b01bf3af9 51272 graphviz-dev_2.38.0-7_all.deb
Files:
 4d093933d02b89ec55fba9775972e62c 3266 graphics optional graphviz_2.38.0-7.dsc
 5cbcff92169d682471cdfdf58d215098 44120 graphics optional graphviz_2.38.0-7.debian.tar.xz
 b7f4f810365af31702d5582331fdfeb9 3617592 doc optional graphviz-doc_2.38.0-7_all.deb
 dfb8a0960673cb5703c64fa55c8c4fd3 51272 oldlibs extra graphviz-dev_2.38.0-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUiGjAAAoJEAVMuPMTQ89Egq4P/0ZINPYO96N/wMiYT80l9jb0
W49YgK+HnL6hHfeLZ39f67ch1uaeIPJqBkLIsHidsA9o9LKukdueT4U+75wuLEUX
NJpRP6EBCtUtLcKH6so2L4CPvAH5tW3dzHnm5c/2m8h6f+JZTyjwTNS7dC2gmXH2
8XO/dPAd5O3go+tptl5t3insPi73VZup5HuqeoM15gOgkLo3qo4Mt3UH4g5R9zv5
DAGEjcv1dCa/jRcGHAr8OH+T06SEuSpHZuA+VxTvQ6P/IJnApPatmb4LIXJZ4tjs
cj3q87Uqp5jA6ef04gDB2fOKQWpYKRVdgT9mIoTCbJow8F2Lobfq7q6BMQ42hoc3
idTKzeSMMmrV5TuIbPH23qHt2+pKd514x9bCMPmKgzSI7AITw1HyRn2yDup+mdmo
brAGjMBc0nYdQymABPcjkzvoORGtXcApbNKfmPpFs+MOH1++BJ18En/DJi0XtsMl
1xPdOnELVq51JzzqqxpRQOepUqAN402hYhhf1j9bugBlSWusVdjuzf8fGm7/hGVt
tKLYGwoUGGA5Mfd/RLrY6edS9NY6hMvXqlplCW83ztUs71jA9+5j6AlgnKvvQ4i3
U05ngRest4j6INDazGscmosMao6UWqxse50VdrVn0BNQljj/DzcAH5p6ftun9MSf
jqN1tDKwRS8Z8iFCtc51
=lamf
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: