Bug#988350: marked as done (Fwd: unblock: graphviz/2.42.2-5)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 11 May 2021 08:25:10 +0000
with message-id <E1lgNhW-0003nq-Aw@respighi.debian.org>
and subject line unblock graphviz
has caused the Debian Bug report #988350,
regarding Fwd: unblock: graphviz/2.42.2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988350
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Fwd: unblock: graphviz/2.42.2-5
• From: László Böszörményi (GCS) <gcs@debian.org>
• Date: Tue, 11 May 2021 09:50:34 +0200
• Message-id: <[🔎] CAKjSHr1rPa_Ew_xKrrRnOL7=zN-BQhy1doo88rrO8V_CAt4VFA@mail.gmail.com>
• In-reply-to: <CAKjSHr2C=vBWRD4wbLFeiB9BpMWqkk6gXxdqeW3mQpZ3D5dPMw@mail.gmail.com>
• References: <CAKjSHr2C=vBWRD4wbLFeiB9BpMWqkk6gXxdqeW3mQpZ3D5dPMw@mail.gmail.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Managers,

I would like to update graphviz due to a security fix, preventing a
heap overflow[1].

[ Reason ]
It's a security fix handling bad data correctly.

[ Impact ]
None on valid data, only fixing buffer length checking.

[ Tests ]
Just the Debian ones, passed.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock graphviz/2.42.2-5

Thanks,
Laszlo/GCS
[1] https://gitlab.com/graphviz/graphviz/-/issues/1700

diff -Nru graphviz-2.42.2/debian/changelog graphviz-2.42.2/debian/changelog
--- graphviz-2.42.2/debian/changelog	2020-04-26 07:25:24.000000000 +0200
+++ graphviz-2.42.2/debian/changelog	2021-05-08 11:09:59.000000000 +0200
@@ -1,3 +1,10 @@
+graphviz (2.42.2-5) unstable; urgency=high
+
+  * Fix CVE-2020-18032: out of bounds write on invalid label
+    (closes: #988000).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 08 May 2021 11:09:59 +0200
+
 graphviz (2.42.2-4) unstable; urgency=medium
 
   * Build with Guile 3.0 (closes: #885198).
diff -Nru graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch
--- graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch	2021-05-08 11:09:33.000000000 +0200
@@ -0,0 +1,35 @@
+commit 784411ca3655c80da0f6025ab20634b2a6ff696b
+Author: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date:   Sat Jul 25 19:31:01 2020 -0700
+
+    fix: out-of-bounds write on invalid label
+    
+    When the label for a node cannot be parsed (due to it being malformed), it falls
+    back on the symbol name of the node itself. I.e. the default label the node
+    would have had if it had no label attribute at all. However, this is applied by
+    dynamically altering the node's label to "\N", a shortcut for the symbol name of
+    the node. All of this is fine, however if the hand written label itself is
+    shorter than the literal string "\N", not enough memory would have been
+    allocated to write "\N" into the label text.
+    
+    Here we account for the possibility of error during label parsing, and assume
+    that the label text may need to be overwritten with "\N" after the fact. Fixes
+    issue #1700.
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+     reclblp = ND_label(n)->text;
+     len = strlen(reclblp);
+     /* For some forgotten reason, an empty label is parsed into a space, so
+-     * we need at least two bytes in textbuf.
++     * we need at least two bytes in textbuf, as well as accounting for the
++     * error path involving "\\N" below.
+      */
+-    len = MAX(len, 1);
++    len = MAX(MAX(len, 1), (int)strlen("\\N"));
+     textbuf = N_NEW(len + 1, char);
+     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ 	agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
diff -Nru graphviz-2.42.2/debian/patches/series graphviz-2.42.2/debian/patches/series
--- graphviz-2.42.2/debian/patches/series	2019-10-06 00:04:01.000000000 +0200
+++ graphviz-2.42.2/debian/patches/series	2021-05-08 11:09:50.000000000 +0200
@@ -8,3 +8,4 @@
 gvmap.sh_bashism.patch
 build_with_libann.patch
 update_documentation_link.patch
+fix_out-of-bounds_write_on_invalid_label.patch

--- End Message ---

--- Begin Message ---

• To: 988350-done@bugs.debian.org
• Subject: unblock graphviz
• From: Emilio Pozuelo Monfort <pochu@respighi.debian.org>
• Date: Tue, 11 May 2021 08:25:10 +0000
• Message-id: <E1lgNhW-0003nq-Aw@respighi.debian.org>

Unblocked.

--- End Message ---