Bug 14756

Summary: graphviz new security issue CVE-2014-9157
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/625048/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: graphviz-2.34.0-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-09 01:49:35 CET 
Fedora has issued an advisory on November 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145217.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated graphviz packages fix security vulnerability:

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in
Graphviz allows remote attackers to have unspecified impact via format string
specifiers in unknown vector, which are not properly handled in an error
string (CVE-2014-9157).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145217.html
========================

Updated packages in core/updates_testing:
========================
graphviz-2.34.0-6.1.mga4
graphviz-doc-2.34.0-6.1.mga4
libcdt5-2.34.0-6.1.mga4
libcgraph6-2.34.0-6.1.mga4
libgvc6-2.34.0-6.1.mga4
libgvpr2-2.34.0-6.1.mga4
libpathplan4-2.34.0-6.1.mga4
libxdot4-2.34.0-6.1.mga4
lua-graphviz-2.34.0-6.1.mga4
php-graphviz-2.34.0-6.1.mga4
python-graphviz-2.34.0-6.1.mga4
ruby-graphviz-2.34.0-6.1.mga4
perl-graphviz-2.34.0-6.1.mga4
tcl-graphviz-2.34.0-6.1.mga4
java-graphviz-2.34.0-6.1.mga4
ocaml-graphviz-2.34.0-6.1.mga4
libgraphviz-devel-2.34.0-6.1.mga4

from graphviz-2.34.0-6.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-09 02:30:06 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12239#c8

Whiteboard: (none) => has_procedure

Comment 2 Shlomi Fish 2014-12-09 16:57:03 CET 
Works fine on a Mageia 4 x86-64 VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 Shlomi Fish 2014-12-09 17:04:55 CET 
testing procedure works fine on MGA4-32-OK. Ship it.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2014-12-09 17:13:36 CET 
Thanks Shlomi.

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-09 21:13:46 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0520.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED