Debian has issued an advisory on May 12: https://www.debian.org/security/2021/dsa-4914 The issue is fixed upstream in 4.6.0. Mageia 7 is also affected.
CC: (none) => nicolas.salgueroStatus comment: (none) => Patches available from upstream and DebianWhiteboard: (none) => MGA7TOO
No registered or regular maintainer, assigning to everybody.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on May 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D5PQPHJHPU46FK3R5XBP3XDT4X37HMPC/
openSUSE has issued an advisory for this on May 22: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PTXOIYNDR72EDFNCBXMS56IU6ZLZOJMB/
Suggested advisory: ======================== The updated packages fix a security vulnerability: Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component. (CVE-2020-18032) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18032 https://www.debian.org/security/2021/dsa-4914 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D5PQPHJHPU46FK3R5XBP3XDT4X37HMPC/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PTXOIYNDR72EDFNCBXMS56IU6ZLZOJMB/ ======================== Updated packages in 7/core/updates_testing: ======================== graphviz-2.40.1-17.2.mga7 graphviz-doc-2.40.1-17.2.mga7 lib(64)cdt5-2.40.1-17.2.mga7 lib(64)cgraph6-2.40.1-17.2.mga7 lib(64)lab_gamut1-2.40.1-17.2.mga7 lib(64)gvc6-2.40.1-17.2.mga7 lib(64)gvpr2-2.40.1-17.2.mga7 lib(64)pathplan4-2.40.1-17.2.mga7 lib(64)xdot4-2.40.1-17.2.mga7 lua-graphviz-2.40.1-17.2.mga7 php-graphviz-2.40.1-17.2.mga7 python2-graphviz-2.40.1-17.2.mga7 ruby-graphviz-2.40.1-17.2.mga7 perl-graphviz-2.40.1-17.2.mga7 tcl-graphviz-2.40.1-17.2.mga7 java-graphviz-2.40.1-17.2.mga7 ocaml-graphviz-2.40.1-17.2.mga7 lib(64)graphviz-devel-2.40.1-17.2.mga7 from SRPM: graphviz-2.40.1-17.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== graphviz-2.44.1-2.1.mga8 graphviz-doc-2.44.1-2.1.mga8 lib(64)cdt5-2.44.1-2.1.mga8 lib(64)cgraph6-2.44.1-2.1.mga8 lib(64)lab_gamut1-2.44.1-2.1.mga8 lib(64)gvc6-2.44.1-2.1.mga8 lib(64)gvpr2-2.44.1-2.1.mga8 lib(64)pathplan4-2.44.1-2.1.mga8 lib(64)xdot4-2.44.1-2.1.mga8 lua-graphviz-2.44.1-2.1.mga8 python3-graphviz-2.44.1-2.1.mga8 ruby-graphviz-2.44.1-2.1.mga8 perl-graphviz-2.44.1-2.1.mga8 tcl-graphviz-2.44.1-2.1.mga8 java-graphviz-2.44.1-2.1.mga8 ocaml-graphviz-2.44.1-2.1.mga8 golang-graphviz-2.44.1-2.1.mga8 lib(64)graphviz-devel-2.44.1-2.1.mga8 from SRPM: graphviz-2.44.1-2.1.mga8.src.rpm
Status comment: Patches available from upstream and Debian => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2020-18032
mga8, x64 CVE-2020-18032 https://gitlab.com/graphviz/graphviz/-/issues/1700 $ cat test.dot digraph structs { struct [shape=record,label="<"]; } $ dot -Tsvg test.dot Error: bad label format < <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <!-- Generated by graphviz version 2.44.1 (0) --> <!-- Title: structs Pages: 1 --> <svg width="67pt" height="45pt" viewBox="0.00 0.00 67.00 45.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 41)"> <title>structs</title> <polygon fill="white" stroke="transparent" points="-4,4 -4,-41 63,-41 63,4 -4,4"/> <!-- struct --> <g id="node1" class="node"> <title>struct</title> <polygon fill="none" stroke="black" points="0,-0.5 0,-36.5 59,-36.5 59,-0.5 0,-0.5"/> <text text-anchor="middle" x="29.5" y="-14.8" font-family="Times,serif" font-size="14.00">struct</text> </g> </g> </svg> Running with valgrind shows memory leaks but asan is required to expose the heap-buffer-overflow. $ valgrind -s --leak-check=full dot -Tsvg test.dot ....... ==274130== LEAK SUMMARY: ==274130== definitely lost: 70,659 bytes in 272 blocks ==274130== indirectly lost: 95,844 bytes in 3,847 blocks ==274130== possibly lost: 3,059 bytes in 35 blocks Basic test: $ echo "digraph G {Hello->World}" | dot -Tpng > hello.png $ eom hello.png ------------------------------------------------------------------------------- Updated from testing. Documentation at https://www.graphviz.org/documentation/ $ dot -Tsvg test.dot Error: bad label format < <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ....... $ vimdot test.dot This generates a graphic with a rectangle labelled "struct" but does not produce any other output. Cannot say from the PoC test if the issue has been addressed but upstream states that the heap overflow problem had been fixed in an earlier version. No crashes and the error is noted so let us assume that there is no problem. Ran vimdot on a few of the example files downloaded from https://graphviz.org/Gallery/ All worked fine; colours and shading shown as well. vimdot without an argument produced a picture of "Object Oriented Graphs" based on the last file used, crazy.gv. Closing vimdot leaves the graphic on-screen. $ display example.gv also shows the graphic. dotty does the same. neato simply echoes the digraph code as text. Looks OK.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
And the API works: $ gcc -o demo2 demo.c $(pkg-config --libs --cflags libgvc) $ ls demo2 demo2* $ ./demo2 -K neato > new.gv $ vimdot new.gv
mga7, x64 The PoC test returned the same results before and after the updates, as in comment 5. Ran vimdot on several of the files from graphviz.org - no regressions. Compiled the demo.c program and ran it to generate new.gv, which tested fine with vimdot. Tried out the ruby binding after editing the example script and installing the ograph gem. $ sudo gem install ograph $ ruby viz.rb > hello.gv $ vimdot hello.gv That worked fine as well. OK for Mageia 7.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Created attachment 12749 [details] Helloworld type script for graphviz $ gcc -o demo2 demo.c $(pkg-config --libs --cflags libgvc) $ ./demo2 -K neato > new.gv $ vimdot new.gv
Created attachment 12750 [details] Helloworld script to test the ruby binding for graphviz The ruby environment needs to have been set up. $ sudo gem install ograph $ ruby viz.rb > hello.gv $ vimdot hello.gv
Forgot to mention packages which require graphviz; they include converseen, doxygen, gramps, kdesvn, kgraphviewer and rodovid.
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0228.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED