Bug 14756 - graphviz new security issue CVE-2014-9157
Summary: graphviz new security issue CVE-2014-9157
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/625048/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-09 01:49 CET by David Walser
Modified: 2014-12-09 21:13 CET (History)
2 users (show)

See Also:
Source RPM: graphviz-2.34.0-6.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-09 01:49:35 CET
Fedora has issued an advisory on November 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145217.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated graphviz packages fix security vulnerability:

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in
Graphviz allows remote attackers to have unspecified impact via format string
specifiers in unknown vector, which are not properly handled in an error
string (CVE-2014-9157).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145217.html
========================

Updated packages in core/updates_testing:
========================
graphviz-2.34.0-6.1.mga4
graphviz-doc-2.34.0-6.1.mga4
libcdt5-2.34.0-6.1.mga4
libcgraph6-2.34.0-6.1.mga4
libgvc6-2.34.0-6.1.mga4
libgvpr2-2.34.0-6.1.mga4
libpathplan4-2.34.0-6.1.mga4
libxdot4-2.34.0-6.1.mga4
lua-graphviz-2.34.0-6.1.mga4
php-graphviz-2.34.0-6.1.mga4
python-graphviz-2.34.0-6.1.mga4
ruby-graphviz-2.34.0-6.1.mga4
perl-graphviz-2.34.0-6.1.mga4
tcl-graphviz-2.34.0-6.1.mga4
java-graphviz-2.34.0-6.1.mga4
ocaml-graphviz-2.34.0-6.1.mga4
libgraphviz-devel-2.34.0-6.1.mga4

from graphviz-2.34.0-6.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-09 02:30:06 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12239#c8

Whiteboard: (none) => has_procedure

Comment 2 Shlomi Fish 2014-12-09 16:57:03 CET
Works fine on a Mageia 4 x86-64 VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 Shlomi Fish 2014-12-09 17:04:55 CET
testing procedure works fine on MGA4-32-OK. Ship it.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2014-12-09 17:13:36 CET
Thanks Shlomi.

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-09 21:13:46 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0520.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.