Bug 23133 - graphviz new security issue CVE-2018-10196
Summary: graphviz new security issue CVE-2018-10196
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 22:04 CEST by David Walser
Modified: 2018-07-11 23:08 CEST (History)
8 users (show)

See Also:
Source RPM: graphviz-2.40.1-8.mga7.src.rpm
CVE: CVE-2018-10196
Status comment: Patch available from Fedora


Attachments
Specimen graphviz graphical description language file (442 bytes, text/vnd.graphviz)
2018-07-09 10:21 CEST, Len Lawrence
Details

Description David Walser 2018-06-07 22:04:16 CEST
Fedora has issued an advisory on May 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TWUEEJPMS5LAROYJYY6FREOTI6VPN3M4/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-07 22:04:27 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-08 21:19:28 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => geiger.david68210, marja11

Marja Van Waes 2018-06-08 21:22:00 CEST

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-06-19 14:57:21 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file. (CVE-2018-10196)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10196
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TWUEEJPMS5LAROYJYY6FREOTI6VPN3M4/
========================

Updated package in 5/core/updates_testing:
========================
graphviz-2.38.0-10.1.mga5
graphviz-doc-2.38.0-10.1.mga5
lib(64)cdt5-2.38.0-10.1.mga5
lib(64)cgraph6-2.38.0-10.1.mga5
lib(64)gvc6-2.38.0-10.1.mga5
lib(64)gvpr2-2.38.0-10.1.mga5
lib(64)pathplan4-2.38.0-10.1.mga5
lib(64)xdot4-2.38.0-10.1.mga5
lua-graphviz-2.38.0-10.1.mga5
php-graphviz-2.38.0-10.1.mga5
python-graphviz-2.38.0-10.1.mga5
ruby-graphviz-2.38.0-10.1.mga5
perl-graphviz-2.38.0-10.1.mga5
tcl-graphviz-2.38.0-10.1.mga5
java-graphviz-2.38.0-10.1.mga5
ocaml-graphviz-2.38.0-10.1.mga5
lib(64)graphviz-devel-2.38.0-10.1.mga5

from SRPMS:
graphviz-2.38.0-10.1.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
graphviz-2.38.0-20.1.mga6
graphviz-doc-2.38.0-20.1.mga6
lib(64)cdt5-2.38.0-20.1.mga6
lib(64)cgraph6-2.38.0-20.1.mga6
lib(64)gvc6-2.38.0-20.1.mga6
lib(64)gvpr2-2.38.0-20.1.mga6
lib(64)pathplan4-2.38.0-20.1.mga6
lib(64)xdot4-2.38.0-20.1.mga6
lua-graphviz-2.38.0-20.1.mga6
php-graphviz-2.38.0-20.1.mga6
python-graphviz-2.38.0-20.1.mga6
ruby-graphviz-2.38.0-20.1.mga6
perl-graphviz-2.38.0-20.1.mga6
tcl-graphviz-2.38.0-20.1.mga6
java-graphviz-2.38.0-20.1.mga6
ocaml-graphviz-2.38.0-20.1.mga6
lib(64)graphviz-devel-2.38.0-20.1.mga6

from SRPMS:
graphviz-2.38.0-20.1.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => nicolas.salguero
Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2018-10196
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2018-06-22 10:50:18 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Trying to test following bug 12239, but I don't get it. The webpage just shows png files.
Launching vimdot as such, shows the noname.gv text in vi, but no graphics. Beats me.

CC: (none) => herman.viaene

Comment 4 Dave Hodgins 2018-07-01 04:42:47 CEST
Procedure is available
https://bugs.mageia.org/show_bug.cgi?id=12239#c8

Keywords: (none) => has_procedure
CC: (none) => davidwhodgins

Comment 5 Dave Hodgins 2018-07-01 05:38:53 CEST
Forgotten how much I dislike vim. :-)

Testing complete on Mageia 6 x86_64. Advisory committed to svn.

Keywords: (none) => advisory
Whiteboard: MGA5TOO => MGA5TOO MGA6_64_OK

Brian Rockwell 2018-07-05 05:00:57 CEST

CC: (none) => brtians1
Whiteboard: MGA5TOO MGA6_64_OK => MGA5TOO MGA6-64-OK

Comment 6 Len Lawrence 2018-07-09 03:44:36 CEST
Mageia 5, x86_64

@Herman, re comment 3.  Beats me too.

vimdot is just vi with the noname.gv.  There is certainly no accompanying graphics window.  If you want to see the graph you have to run display.
Quoting comment 8 from bug 12239
"vimdot run from the terminal will open vim in the terminal and an X window to display the graphic."
> IT DOES NOT OPEN AN X WINDOW <
I pasted the code for one of the graphviz example images into vimdot and saved it.  Nothing else happened so this so-called test does nothing.  Running 
$ dot noname.gv 
simply brings up vi again with some code expansion (i.e. to svg code).  It looks like dot is an interpreter for the dot graphics language and it is interesting that display can also interpret this language - it displays a perfect SVG image from the dot source.

There is extensive documentation on dot and the graphviz programs at https://graphviz.gitlab.io/documentation/

neato is a very powerful utility by the looks of it but deals in abstractions which makes it difficult to describe.

lefty is a graphics editor which presents a graphical view together with a command window and a code view.  Could not figure out how to use it though but it looked like one starts with loading a ".lefty" text file.  It deals with technical drawings for networks, fractals, binary search trees...

dotty uses dot and lefty for editing complex drawings using "lefty" functions.

Downloaded the four example C programs but the make failed.
Tried individual compilation, trying to guess what is required and that worked but demo did not.
$ gcc -o demo -lgvc -lcgraph -lgvpr -lcdt -lxdot  -I/usr/include/graphviz -Wall -g -O2 demo.c
demo.c: In function ‘main’:
demo.c:27:15: warning: variable ‘e’ set but not used [-Wunused-but-set-variable]
     Agedge_t *e;
               ^
$ ./demo
There is no layout engine support for "demo"
Use one of: circo dot fdp neato nop nop1 nop2 osage patchwork sfdp twopi
Error: Layout was not done.  Missing layout plugins? 

Installing the updates tomorrow.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-07-09 09:12:30 CEST
A bit more background:

Further examination of the files generated by dot indicates that they are not in fact SVG images.  In emacs the code does not display without using Ctrl-C Ctrl-C and then it is highlighted in red with the message (nXML Invalid Image[svg]).
file classes these as ASCII text.  You can in fact convert this text to SVG code using ImageMagick though in fact it looks like an encapsulated PNG file in an SVG wrapper.  The output files can be displayed in emacs as either text or graphics and have headers of this form:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" 
[...]
xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="359px" height="335px" viewBox="0 0 359 335" enable-background="new 0 0 359 335" xml:space="preserve">  <image id="image0" width="359" height="335" x="0" y="0"

followed by a base64 encoded PNG image.
Comment 8 Len Lawrence 2018-07-09 10:12:01 CEST
Clean update of the 16 packages.

Tried compiling  another of the example C programs.

$ gcc -o dot.o -lgvc -lcgraph -lgvpr -lcdt -lxdot -I/usr/include/graphviz -Wall -g -O2 dot.c
$ ./dot.o
There is no layout engine support for "dot.o"
Use one of: circo dot fdp neato nop nop1 nop2 osage patchwork sfdp twopi

Pass on that - it requires deeper knowledge of the application framework.

$ dot example.gv > test2
$ file test2
test2: ASCII text
$ display test2
Shows the HelloWorld graphic.
$ display example.gv
Shows exactly the same original graphic.
$ dotty test2
dotty.lefty: unknown color  using #1

This should display the HelloWorld graphic.  It shows everything except the HelloWorld text string - it looks like it uses the background colour which makes the text invisible.  Also, it colours most of the arrows red whreas they are rendered in black using display.

Copied the code for crazy.gv from the site hosting example images.
display showed an object oriented graph of coloured polygons joined by arrows an each labelled with black text - all colors are standard X11 RGB.
$ dotty crazy.gv
This shows the graphic in a scrollable window (horizontal and vertical) but omits all the text including the legend at the bottom.

$ neato crazy.gv
digraph unix {
	graph [bb="-481.68,-598.9,359.82,348.99",
		fontname="Helvetica-Oblique",
		fontsize=36,
		label="\n\n\n\nObject Oriented Graphs\nStephen North, 3/19/93",
		lheight=3.50,
		lp="-60.928,-468.9",
		lwidth=5.29,
		size="6,6"
	];
[...]
	"System V.2" -> "System V.3"	 [pos="e,-384.22,-60.803 -383.81,-60.858 -383.88,-60.849 -383.95,-60.84 -384.02,-60.831"];
}

This looks exactly the same as the output from the dot interpreter.  In fact, running any of the utilities runs the dot interpreter, circo, fdp, osage, twopi...

Conclusion; the packages might be buggy, based on the faiure to show text properly in some cases but the subject is far too complex for a simple QA session to expose regressions other than the vimdot failure to show graphics.

Leaving this up in the air for mga5 64-bits.
Comment 9 Len Lawrence 2018-07-09 10:21:39 CEST
Created attachment 10274 [details]
Specimen graphviz graphical description language file

Use dotty or emacs or ImageMagick to display the image.
Comment 10 Len Lawrence 2018-07-09 11:20:09 CEST
Further to comment 8.  It turned out that the generic xterm used by vimdot was not installed.  Installed xterm and tried again.
$ vimdot crazy.gv

A blank terminal called dot appeared along with a graphviz window displaying the graphic.  vi actually opened in the mate-terminal from which the command was run, not in the xterm.  Changed the text "North" to "South" and saved the file and confirmed that the legend in the graphic changed accordingly.

So this test does work.

Going to OK this.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 11 Len Lawrence 2018-07-11 08:20:45 CEST
Validating this.  Thanks Dave.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2018-07-11 23:08:55 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0307.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.