Hi SRM, according to the Security Team, this issue (CVE-2008-4555 [1]) doesn't warrant a DSA, so I'm proposing the following source debdiff. I'm excluding config.{guess,sub} update from it. And sorry for the delay. 1. http://security-tracker.debian.net/tracker/CVE-2008-4555 Thanks for your time. Mraw, KiBi.
diff -u graphviz-2.8/debian/control graphviz-2.8/debian/control --- graphviz-2.8/debian/control +++ graphviz-2.8/debian/control @@ -1,7 +1,7 @@ Source: graphviz Section: graphics Priority: optional -Maintainer: Stephen M Moraco <stephen@debian.org> +Maintainer: Cyril Brulebois <kibi@debian.org> Standards-Version: 3.6.2 Build-Depends: tk8.4-dev, tcl8.4-dev, debhelper (>=4.0.0), libfreetype6-dev, zlib1g-dev, libjpeg62-dev, libpng12-dev, libxaw7-dev, bison, flex, autotools-dev, pdksh, libttf-dev, libexpat1-dev, libfontconfig1-dev, libltdl3-dev, swig, libperl-dev, libgd2-xpm-dev diff -u graphviz-2.8/debian/changelog graphviz-2.8/debian/changelog --- graphviz-2.8/debian/changelog +++ graphviz-2.8/debian/changelog @@ -1,3 +1,15 @@ +graphviz (2.8-3+etch1) stable; urgency=low + + * Backport patch to fix a stack overflow in the graph parser, reported + by IBM and fixed in 2.20.3. Thanks to upstream for both notices and + minimal patches! Patched files are the following: + - lib/graph/parser.c + - lib/graph/parser.y + This is CVE-2008-4555. + * Update Maintainer field, package got adopted. + + -- Cyril Brulebois <kibi@debian.org> Mon, 08 Dec 2008 06:35:53 +0100 + graphviz (2.8-2.4) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- graphviz-2.8.orig/lib/graph/parser.y +++ graphviz-2.8/lib/graph/parser.y @@ -31,11 +31,15 @@ static Agnode_t *N; static Agedge_t *E; static objstack_t *SP; -static Agraph_t *Gstack[32]; +#define GSTACK_SIZE 64 +static Agraph_t *Gstack[GSTACK_SIZE]; static int GSP; static void push_subg(Agraph_t *g) { + if (GSP >= GSTACK_SIZE) { + agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1); + } G = Gstack[GSP++] = g; } only in patch2: unchanged: --- graphviz-2.8.orig/lib/graph/parser.c +++ graphviz-2.8/lib/graph/parser.c @@ -96,11 +96,15 @@ static Agnode_t *N; static Agedge_t *E; static objstack_t *SP; -static Agraph_t *Gstack[32]; +#define GSTACK_SIZE 64 +static Agraph_t *Gstack[GSTACK_SIZE]; static int GSP; static void push_subg(Agraph_t *g) { + if (GSP >= GSTACK_SIZE) { + agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1); + } G = Gstack[GSP++] = g; }
Attachment:
signature.asc
Description: Digital signature