Bug 12239 - graphviz new security issue CVE-2014-0978 and CVE-2014-123[56]
: graphviz new security issue CVE-2014-0978 and CVE-2014-123[56]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/580396/
: has_procedure advisory mga3-64-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-08 02:58 CET by David Walser
Modified: 2014-01-24 22:11 CET (History)
2 users (show)

See Also:
Source RPM: graphviz-2.28.0-11.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-01-08 02:58:28 CET
Fedora has fixed a security issue, an overflow with yyerror in graphviz:
http://pkgs.fedoraproject.org/cgit/graphviz.git/commit/?id=a2040cdc1fd14de76099ecee773585c8fc5abe75
https://bugzilla.redhat.com/show_bug.cgi?id=1049165

This issue has been assigned CVE-2014-0978:
http://openwall.com/lists/oss-security/2014/01/07/14

I have added the patch in Mageia 3 and Cauldron SVN and requested a freeze push.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-01-08 22:39:12 CET
There are a couple of additional issues that have been fixed upstream and assigned CVE.  I don't have a patch for those yet:
http://openwall.com/lists/oss-security/2014/01/08/13
Comment 2 David Walser 2014-01-09 16:26:15 CET
graphviz-2.34.0-5.mga4 uploaded for Cauldron.
Comment 3 David Walser 2014-01-09 17:28:47 CET
CVE-2014-0978 is fixed in Cauldron, but apparently that fix actually introduces the CVE-2014-1235 vulnerability (so that one doesn't affect Mageia 3).  CVE-2014-1236 still needs patched in both.
Comment 4 David Walser 2014-01-10 18:28:55 CET
Updated patch for CVE-2014-0978 which closes CVE-2014-1235 and additional patch which fixes CVE-2014-1236 added to SVN for Mageia 3 and Cauldron.  Freeze push requested for Cauldron.
Comment 5 David Walser 2014-01-11 03:16:12 CET
Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated graphviz packages fix security vulnerabilities:

Multiple buffer overflow vulnerabilities in graphviz due to an error within
the "yyerror()" function (lib/cgraph/scan.l) which can be exploited to cause
a stack-based buffer overflow via a specially crafted file (CVE-2014-0978)
and the acceptance of an arbitrarily long digit list by a regular expression
matched against user input (CVE-2014-1236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236
https://bugzilla.redhat.com/show_bug.cgi?id=1049165
https://bugzilla.redhat.com/show_bug.cgi?id=1050872
========================

Updated packages in core/updates_testing:
========================
graphviz-2.28.0-11.1.mga3
graphviz-doc-2.28.0-11.1.mga3
libcdt5-2.28.0-11.1.mga3
libcgraph6-2.28.0-11.1.mga3
libgraph5-2.28.0-11.1.mga3
libgvc6-2.28.0-11.1.mga3
libgvpr2-2.28.0-11.1.mga3
libpathplan4-2.28.0-11.1.mga3
libxdot4-2.28.0-11.1.mga3
lua-graphviz-2.28.0-11.1.mga3
php-graphviz-2.28.0-11.1.mga3
python-graphviz-2.28.0-11.1.mga3
ruby-graphviz-2.28.0-11.1.mga3
perl-graphviz-2.28.0-11.1.mga3
tcl-graphviz-2.28.0-11.1.mga3
java-graphviz-2.28.0-11.1.mga3
ocaml-graphviz-2.28.0-11.1.mga3
libgraphviz-devel-2.28.0-11.1.mga3

from graphviz-2.28.0-11.1.mga3.src.rpm
Comment 6 David Walser 2014-01-14 20:28:03 CET
Debian has issued an advisory for this on January 13:
http://www.debian.org/security/2014/dsa-2843
Comment 7 claire robinson 2014-01-21 18:05:33 CET
Should be able to test this with vimdot and some sample dot code from graphviz website.
Comment 8 claire robinson 2014-01-22 12:29:16 CET
No PoC's

Procedure:

vimdot run from the terminal will open vim in the terminal and an X window to display the graphic. When the dot code is updated in vim and saved (:w) it updates the graphic. The graphic can be scaled and dragged with the mouse scroll wheel.

Test using various gv files from the graphviz gallery
http://www.graphviz.org/Gallery.php

Follow link to image, click on image, copy code, in vim press escape and use 'dd' to delete lines and remove the sample code, press i to enter insert mode, paste in the copied code, press escape then :w to save it. The graphic should update to match the image in the gallery. Use escape :q to quit vim.

I had to remove noname.gv which is the default file it creates between tests, or use an alternative filename.


Testing complete mga3 64
Comment 9 claire robinson 2014-01-22 13:42:29 CET
Testing complete mga3 32
Comment 10 claire robinson 2014-01-22 17:38:45 CET
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks
Comment 11 Thomas Backlund 2014-01-24 22:11:17 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0027.html

Note You need to log in before you can comment on or make changes to this bug.