[SRM] graphviz stable update for CVE-2008-4555

To: debian-release@lists.debian.org
Subject: [SRM] graphviz stable update for CVE-2008-4555
From: Cyril Brulebois <kibi@debian.org>
Date: Mon, 8 Dec 2008 06:46:04 +0100
Message-id: <[🔎] 20081208054604.GA7180@debian.org>

Hi SRM,

according to the Security Team, this issue (CVE-2008-4555 [1]) doesn't
warrant a DSA, so I'm proposing the following source debdiff. I'm
excluding config.{guess,sub} update from it. And sorry for the delay.

 1. http://security-tracker.debian.net/tracker/CVE-2008-4555

Thanks for your time.

Mraw,
KiBi.

diff -u graphviz-2.8/debian/control graphviz-2.8/debian/control
--- graphviz-2.8/debian/control
+++ graphviz-2.8/debian/control
@@ -1,7 +1,7 @@
 Source: graphviz
 Section: graphics
 Priority: optional
-Maintainer: Stephen M Moraco <stephen@debian.org>
+Maintainer: Cyril Brulebois <kibi@debian.org>
 Standards-Version: 3.6.2
 Build-Depends: tk8.4-dev, tcl8.4-dev, debhelper (>=4.0.0), libfreetype6-dev, zlib1g-dev, libjpeg62-dev, libpng12-dev, libxaw7-dev, bison, flex, autotools-dev, pdksh, libttf-dev, libexpat1-dev, libfontconfig1-dev, libltdl3-dev, swig, libperl-dev, libgd2-xpm-dev
 
diff -u graphviz-2.8/debian/changelog graphviz-2.8/debian/changelog
--- graphviz-2.8/debian/changelog
+++ graphviz-2.8/debian/changelog
@@ -1,3 +1,15 @@
+graphviz (2.8-3+etch1) stable; urgency=low
+
+  * Backport patch to fix a stack overflow in the graph parser, reported
+    by IBM and fixed in 2.20.3. Thanks to upstream for both notices and
+    minimal patches! Patched files are the following:
+     - lib/graph/parser.c
+     - lib/graph/parser.y
+    This is CVE-2008-4555.
+  * Update Maintainer field, package got adopted.
+
+ -- Cyril Brulebois <kibi@debian.org>  Mon, 08 Dec 2008 06:35:53 +0100
+
 graphviz (2.8-2.4) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- graphviz-2.8.orig/lib/graph/parser.y
+++ graphviz-2.8/lib/graph/parser.y
@@ -31,11 +31,15 @@
 static Agnode_t		*N;
 static Agedge_t		*E;
 static objstack_t	*SP;
-static Agraph_t		*Gstack[32];
+#define GSTACK_SIZE 64
+static Agraph_t         *Gstack[GSTACK_SIZE];
 static int			GSP;
 
 static void push_subg(Agraph_t *g)
 {
+	if (GSP >= GSTACK_SIZE) {
+		agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1);
+	}
 	G = Gstack[GSP++] = g;
 }
 
only in patch2:
unchanged:
--- graphviz-2.8.orig/lib/graph/parser.c
+++ graphviz-2.8/lib/graph/parser.c
@@ -96,11 +96,15 @@
 static Agnode_t		*N;
 static Agedge_t		*E;
 static objstack_t	*SP;
-static Agraph_t		*Gstack[32];
+#define GSTACK_SIZE 64
+static Agraph_t         *Gstack[GSTACK_SIZE];
 static int			GSP;
 
 static void push_subg(Agraph_t *g)
 {
+	if (GSP >= GSTACK_SIZE) {
+		agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1);
+	}
 	G = Gstack[GSP++] = g;
 }

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SRM] graphviz stable update for CVE-2008-4555
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Upcoming upload for nagios-3.0.5
Next by Date: Re: Upcoming upload for nagios-3.0.5
Previous by thread: [SRM] linux-ftpd-ssl stable update for CVE-2008-4247
Next by thread: Re: [SRM] graphviz stable update for CVE-2008-4555
Index(es):
- Date
- Thread