Bug#772755: marked as done (unblock: graphviz/2.38.0-7)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#772755: marked as done (unblock: graphviz/2.38.0-7)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 10 Dec 2014 20:30:07 +0000
Message-id: <[🔎] handler.772755.D772755.141824324110250.ackdone@bugs.debian.org>
References: <1418243233.17238.6.camel@adam-barratt.org.uk> <[🔎] 20141210195234.32696.76501.reportbug@eldamar.local>

Your message dated Wed, 10 Dec 2014 20:27:13 +0000
with message-id <1418243233.17238.6.camel@adam-barratt.org.uk>
and subject line Re: Bug#772755: unblock: graphviz/2.38.0-7
has caused the Debian Bug report #772755,
regarding unblock: graphviz/2.38.0-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772755: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772755
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: graphviz/2.38.0-7
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Dec 2014 20:52:34 +0100
Message-id: <[🔎] 20141210195234.32696.76501.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team!

Please unblock package graphviz

The upload to unstable fixes a format string vulnerability in the
yyerror function, it is assigned CVE-2014-9157, #772648:

https://security-tracker.debian.org/tracker/CVE-2014-9157

The debian/changelog reads as:

>graphviz (2.38.0-7) unstable; urgency=high
>
>  * QA upload.
>  * Add CVE-2014-9157.patch.
>    Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
>    which may allow attackers to cause a denial of service or possibly
>    execute code.
>    Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 10 Dec 2014 07:21:52 +0100

I'm attaching the full debdiff. Could you please unblock graphviz for
migration to jessie?

unblock graphviz/2.38.0-7

Regards,
Salvatore

diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
--- graphviz-2.38.0/debian/changelog	2014-09-01 23:43:19.000000000 +0200
+++ graphviz-2.38.0/debian/changelog	2014-12-10 16:25:41.000000000 +0100
@@ -1,3 +1,14 @@
+graphviz (2.38.0-7) unstable; urgency=high
+
+  * QA upload.
+  * Add CVE-2014-9157.patch.
+    Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+    which may allow attackers to cause a denial of service or possibly
+    execute code.
+    Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 10 Dec 2014 07:21:52 +0100
+
 graphviz (2.38.0-6) unstable; urgency=medium
 
   * QA upload.
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	2014-12-10 16:25:41.000000000 +0100
@@ -0,0 +1,22 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Bug-Debian: https://bugs.debian.org/772648
+Forwarded: no
+Author: Emden R. Gansner
+Last-Update: 2014-12-10
+
+---
+ lib/cgraph/scan.l |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@ void yyerror(char *str)
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGERR,agxbuse(&xb));
++	agerr(AGERR, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series	2014-09-01 23:13:51.000000000 +0200
+++ graphviz-2.38.0/debian/patches/series	2014-12-10 16:25:41.000000000 +0100
@@ -11,3 +11,4 @@
 reduce-lab-color.patch
 add-libm-to-dot-link.patch
 versioned-plugin-config-file.diff
+CVE-2014-9157.patch

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>, 772755-done@bugs.debian.org

Subject: Re: Bug#772755: unblock: graphviz/2.38.0-7

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Wed, 10 Dec 2014 20:27:13 +0000

Message-id: <1418243233.17238.6.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20141210195234.32696.76501.reportbug@eldamar.local>

References: <[🔎] 20141210195234.32696.76501.reportbug@eldamar.local>
On Wed, 2014-12-10 at 20:52 +0100, Salvatore Bonaccorso wrote:
> Please unblock package graphviz
> 
> The upload to unstable fixes a format string vulnerability in the
> yyerror function, it is assigned CVE-2014-9157, #772648:

Unblocked, thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#772755: unblock: graphviz/2.38.0-7
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#772758: [release.debian.org] unblock webkitkde (security fix)
Next by Date: Bug#772758: marked as done ([release.debian.org] unblock webkitkde (security fix))
Previous by thread: Bug#772755: unblock: graphviz/2.38.0-7
Next by thread: Bug#772756: unblock: pylint/1.3.1-2
Index(es):
- Date
- Thread