Fedora has fixed a security issue, an overflow with yyerror in graphviz: http://pkgs.fedoraproject.org/cgit/graphviz.git/commit/?id=a2040cdc1fd14de76099ecee773585c8fc5abe75 https://bugzilla.redhat.com/show_bug.cgi?id=1049165 This issue has been assigned CVE-2014-0978: http://openwall.com/lists/oss-security/2014/01/07/14 I have added the patch in Mageia 3 and Cauldron SVN and requested a freeze push. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
There are a couple of additional issues that have been fixed upstream and assigned CVE. I don't have a patch for those yet: http://openwall.com/lists/oss-security/2014/01/08/13
graphviz-2.34.0-5.mga4 uploaded for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
CVE-2014-0978 is fixed in Cauldron, but apparently that fix actually introduces the CVE-2014-1235 vulnerability (so that one doesn't affect Mageia 3). CVE-2014-1236 still needs patched in both.
Version: 3 => CauldronSummary: graphviz new security issue CVE-2014-0978 => graphviz new security issue CVE-2014-0978 and CVE-2014-123[56]Whiteboard: (none) => MGA3TOO
Blocks: (none) => 11726
Updated patch for CVE-2014-0978 which closes CVE-2014-1235 and additional patch which fixes CVE-2014-1236 added to SVN for Mageia 3 and Cauldron. Freeze push requested for Cauldron.
Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated graphviz packages fix security vulnerabilities: Multiple buffer overflow vulnerabilities in graphviz due to an error within the "yyerror()" function (lib/cgraph/scan.l) which can be exploited to cause a stack-based buffer overflow via a specially crafted file (CVE-2014-0978) and the acceptance of an arbitrarily long digit list by a regular expression matched against user input (CVE-2014-1236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236 https://bugzilla.redhat.com/show_bug.cgi?id=1049165 https://bugzilla.redhat.com/show_bug.cgi?id=1050872 ======================== Updated packages in core/updates_testing: ======================== graphviz-2.28.0-11.1.mga3 graphviz-doc-2.28.0-11.1.mga3 libcdt5-2.28.0-11.1.mga3 libcgraph6-2.28.0-11.1.mga3 libgraph5-2.28.0-11.1.mga3 libgvc6-2.28.0-11.1.mga3 libgvpr2-2.28.0-11.1.mga3 libpathplan4-2.28.0-11.1.mga3 libxdot4-2.28.0-11.1.mga3 lua-graphviz-2.28.0-11.1.mga3 php-graphviz-2.28.0-11.1.mga3 python-graphviz-2.28.0-11.1.mga3 ruby-graphviz-2.28.0-11.1.mga3 perl-graphviz-2.28.0-11.1.mga3 tcl-graphviz-2.28.0-11.1.mga3 java-graphviz-2.28.0-11.1.mga3 ocaml-graphviz-2.28.0-11.1.mga3 libgraphviz-devel-2.28.0-11.1.mga3 from graphviz-2.28.0-11.1.mga3.src.rpm
Version: Cauldron => 3Blocks: 11726 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO => (none)
Debian has issued an advisory for this on January 13: http://www.debian.org/security/2014/dsa-2843
URL: (none) => http://lwn.net/Vulnerabilities/580396/
Should be able to test this with vimdot and some sample dot code from graphviz website.
No PoC's Procedure: vimdot run from the terminal will open vim in the terminal and an X window to display the graphic. When the dot code is updated in vim and saved (:w) it updates the graphic. The graphic can be scaled and dragged with the mouse scroll wheel. Test using various gv files from the graphviz gallery http://www.graphviz.org/Gallery.php Follow link to image, click on image, copy code, in vim press escape and use 'dd' to delete lines and remove the sample code, press i to enter insert mode, paste in the copied code, press escape then :w to save it. The graphic should update to match the image in the gallery. Use escape :q to quit vim. I had to remove noname.gv which is the default file it creates between tests, or use an alternative filename. Testing complete mga3 64
Whiteboard: (none) => has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0027.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED