Bug#772755: unblock: graphviz/2.38.0-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team!
Please unblock package graphviz
The upload to unstable fixes a format string vulnerability in the
yyerror function, it is assigned CVE-2014-9157, #772648:
https://security-tracker.debian.org/tracker/CVE-2014-9157
The debian/changelog reads as:
>graphviz (2.38.0-7) unstable; urgency=high
>
> * QA upload.
> * Add CVE-2014-9157.patch.
> Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
> which may allow attackers to cause a denial of service or possibly
> execute code.
> Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
>
> -- Salvatore Bonaccorso <carnil@debian.org> Wed, 10 Dec 2014 07:21:52 +0100
I'm attaching the full debdiff. Could you please unblock graphviz for
migration to jessie?
unblock graphviz/2.38.0-7
Regards,
Salvatore
diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
--- graphviz-2.38.0/debian/changelog 2014-09-01 23:43:19.000000000 +0200
+++ graphviz-2.38.0/debian/changelog 2014-12-10 16:25:41.000000000 +0100
@@ -1,3 +1,14 @@
+graphviz (2.38.0-7) unstable; urgency=high
+
+ * QA upload.
+ * Add CVE-2014-9157.patch.
+ Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+ which may allow attackers to cause a denial of service or possibly
+ execute code.
+ Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 10 Dec 2014 07:21:52 +0100
+
graphviz (2.38.0-6) unstable; urgency=medium
* QA upload.
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 2014-12-10 16:25:41.000000000 +0100
@@ -0,0 +1,22 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Bug-Debian: https://bugs.debian.org/772648
+Forwarded: no
+Author: Emden R. Gansner
+Last-Update: 2014-12-10
+
+---
+ lib/cgraph/scan.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@ void yyerror(char *str)
+ agxbput (&xb, buf);
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
+- agerr(AGERR,agxbuse(&xb));
++ agerr(AGERR, "%s", agxbuse(&xb));
+ agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series 2014-09-01 23:13:51.000000000 +0200
+++ graphviz-2.38.0/debian/patches/series 2014-12-10 16:25:41.000000000 +0100
@@ -11,3 +11,4 @@
reduce-lab-color.patch
add-libm-to-dot-link.patch
versioned-plugin-config-file.diff
+CVE-2014-9157.patch
Reply to: