Bug 682522 (CVE-2018-10196)

Summary:	<media-gfx/graphviz-2.42.1: NULL pointer dereference vulnerability in the rebuild_vlists (CVE-2018-10196)
Product:	Gentoo Security	Reporter:	Pacho Ramos <pacho>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	graphics+disabled
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/graphviz/graphviz/issues/1367
See Also:	https://github.com/gentoo/gentoo/pull/12790
Whiteboard:	B3 [noglsa cve]
Package list:	media-gfx/graphviz-2.42.1	Runtime testing required:	---

Description Pacho Ramos gentoo-dev

2019-04-04 12:33:52 UTC

Description

NULL pointer dereference vulnerability in the rebuild_vlists function in
lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote
attackers to cause a denial of service (application crash) via a crafted
file.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10196
Bugs
https://gitlab.com/graphviz/graphviz/issues/1367
https://issuetracker.google.com/issues/77810342
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898841

Comment 1 Andreas Sturmlechner gentoo-dev

2019-06-29 19:54:59 UTC

Fixed upstream in git master the same day: https://gitlab.com/graphviz/graphviz/commit/8375908cba04be37f571abd1519b04286d3655fa

Comment 2 Larry the Git Cow gentoo-dev

2019-09-14 14:59:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f430eaf4ff2738fae69c577f0e1eb40429b42d23

commit f430eaf4ff2738fae69c577f0e1eb40429b42d23
Author:     Chris Mayo <aklhfex@gmail.com>
AuthorDate: 2019-08-25 18:56:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-09-14 14:52:24 +0000

    media-gfx/graphviz: version bump to 2.42.1
    
    Bug: https://bugs.gentoo.org/682522
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Chris Mayo <aklhfex@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/12790
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/graphviz/Manifest                        |   1 +
 .../files/graphviz-2.42.1-libgv_python.patch       |  15 ++
 .../graphviz/files/graphviz-2.42.1-math.patch      |  38 +++
 media-gfx/graphviz/graphviz-2.42.1.ebuild          | 283 +++++++++++++++++++++
 4 files changed, 337 insertions(+)

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-27 23:21:47 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-10-28 07:41:41 UTC

amd64 stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2019-11-01 10:52:49 UTC

arm stable

Comment 6 Rolf Eike Beer archtester

2019-11-02 16:33:32 UTC

hppa stable

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-11-07 00:48:47 UTC

arm64 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2019-11-08 08:34:38 UTC

s390 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-11-12 10:13:33 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-11-12 10:39:13 UTC

ppc64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-11-12 16:02:43 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-11-13 11:29:17 UTC

ia64 stable

Comment 13 Matt Turner gentoo-dev

2019-11-17 07:21:48 UTC

alpha stable

all arches stable

Comment 14 Andreas Sturmlechner gentoo-dev

2019-11-25 16:39:40 UTC

Btw, cleanup done in git commit c60d0ab2d049b8a8cb579f4ac6c5da2e14a9a30c

Comment 15 Sam James archtester

2020-03-28 19:57:20 UTC

(In reply to Andreas Sturmlechner from comment #14)
> Btw, cleanup done in git commit c60d0ab2d049b8a8cb579f4ac6c5da2e14a9a30c

Thanks.

Comment 16 NATTkA bot gentoo-dev

2020-04-06 15:15:45 UTC

Unable to check for sanity:

> no match for package: media-gfx/graphviz-2.42.1

Comment 17 Yury German Gentoo Infrastructure

2020-04-26 03:27:23 UTC

GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].