Bug 12239

Summary: graphviz new security issue CVE-2014-0978 and CVE-2014-123[56]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/580396/
Whiteboard: has_procedure advisory mga3-64-ok mga3-32-ok
Source RPM: graphviz-2.28.0-11.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-01-08 02:58:28 CET 
Fedora has fixed a security issue, an overflow with yyerror in graphviz:
http://pkgs.fedoraproject.org/cgit/graphviz.git/commit/?id=a2040cdc1fd14de76099ecee773585c8fc5abe75
https://bugzilla.redhat.com/show_bug.cgi?id=1049165

This issue has been assigned CVE-2014-0978:
http://openwall.com/lists/oss-security/2014/01/07/14

I have added the patch in Mageia 3 and Cauldron SVN and requested a freeze push.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-08 02:58:41 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-08 22:39:12 CET 
There are a couple of additional issues that have been fixed upstream and assigned CVE.  I don't have a patch for those yet:
http://openwall.com/lists/oss-security/2014/01/08/13
Comment 2 David Walser 2014-01-09 16:26:15 CET 
graphviz-2.34.0-5.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2014-01-09 17:28:47 CET 
CVE-2014-0978 is fixed in Cauldron, but apparently that fix actually introduces the CVE-2014-1235 vulnerability (so that one doesn't affect Mageia 3).  CVE-2014-1236 still needs patched in both.

Version: 3 => Cauldron
Summary: graphviz new security issue CVE-2014-0978 => graphviz new security issue CVE-2014-0978 and CVE-2014-123[56]
Whiteboard: (none) => MGA3TOO

David Walser 2014-01-09 17:42:47 CET

Blocks: (none) => 11726

Comment 4 David Walser 2014-01-10 18:28:55 CET 
Updated patch for CVE-2014-0978 which closes CVE-2014-1235 and additional patch which fixes CVE-2014-1236 added to SVN for Mageia 3 and Cauldron.  Freeze push requested for Cauldron.
Comment 5 David Walser 2014-01-11 03:16:12 CET 
Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated graphviz packages fix security vulnerabilities:

Multiple buffer overflow vulnerabilities in graphviz due to an error within
the "yyerror()" function (lib/cgraph/scan.l) which can be exploited to cause
a stack-based buffer overflow via a specially crafted file (CVE-2014-0978)
and the acceptance of an arbitrarily long digit list by a regular expression
matched against user input (CVE-2014-1236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236
https://bugzilla.redhat.com/show_bug.cgi?id=1049165
https://bugzilla.redhat.com/show_bug.cgi?id=1050872
========================

Updated packages in core/updates_testing:
========================
graphviz-2.28.0-11.1.mga3
graphviz-doc-2.28.0-11.1.mga3
libcdt5-2.28.0-11.1.mga3
libcgraph6-2.28.0-11.1.mga3
libgraph5-2.28.0-11.1.mga3
libgvc6-2.28.0-11.1.mga3
libgvpr2-2.28.0-11.1.mga3
libpathplan4-2.28.0-11.1.mga3
libxdot4-2.28.0-11.1.mga3
lua-graphviz-2.28.0-11.1.mga3
php-graphviz-2.28.0-11.1.mga3
python-graphviz-2.28.0-11.1.mga3
ruby-graphviz-2.28.0-11.1.mga3
perl-graphviz-2.28.0-11.1.mga3
tcl-graphviz-2.28.0-11.1.mga3
java-graphviz-2.28.0-11.1.mga3
ocaml-graphviz-2.28.0-11.1.mga3
libgraphviz-devel-2.28.0-11.1.mga3

from graphviz-2.28.0-11.1.mga3.src.rpm

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 6 David Walser 2014-01-14 20:28:03 CET 
Debian has issued an advisory for this on January 13:
http://www.debian.org/security/2014/dsa-2843

URL: (none) => http://lwn.net/Vulnerabilities/580396/

Comment 7 claire robinson 2014-01-21 18:05:33 CET 
Should be able to test this with vimdot and some sample dot code from graphviz website.
Comment 8 claire robinson 2014-01-22 12:29:16 CET 
No PoC's

Procedure:

vimdot run from the terminal will open vim in the terminal and an X window to display the graphic. When the dot code is updated in vim and saved (:w) it updates the graphic. The graphic can be scaled and dragged with the mouse scroll wheel.

Test using various gv files from the graphviz gallery
http://www.graphviz.org/Gallery.php

Follow link to image, click on image, copy code, in vim press escape and use 'dd' to delete lines and remove the sample code, press i to enter insert mode, paste in the copied code, press escape then :w to save it. The graphic should update to match the image in the gallery. Use escape :q to quit vim.

I had to remove noname.gv which is the default file it creates between tests, or use an alternative filename.


Testing complete mga3 64

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 9 claire robinson 2014-01-22 13:42:29 CET 
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 10 claire robinson 2014-01-22 17:38:45 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2014-01-24 22:11:17 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0027.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED