From ${URL} : A format string vulnerability has been found in `graphviz'. The fix commit is here: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-9157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9157): Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string.
Ping Maintainers: Looks like it is patched by a few distros: Debian: https://security-tracker.debian.org/tracker/CVE-2014-9157 RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1167868 Please advise what you would like to do.
Does 2.26.3-r4 fix this bug?
Fix was made after release of Graphviz 2.38.0.
Other fixes for format strings: https://github.com/ellson/graphviz/commit/495f781f91dca1fb165bbaa6abc0ced1c09535c8 https://github.com/ellson/graphviz/commit/10a132289ffe4ed9a398bebca13cb41c1006bd13
@ Maintainer(s): Upstream hasn't released a new version since 2014. Please decide to do a snapshot release.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4) > Fix was made after release of Graphviz 2.38.0. The fix is untagged upstream, but looks like they were targeting the 2.40 release. Can the graphics team backport the patch?
This bug has been fixed in the 2.40.1 release. References: https://github.com/ellson/MOTHBALLED-graphviz/pull/50 https://gitlab.com/graphviz/graphviz/commits/stable_release_2.40.1?utf8=%E2%9C%93&search=agerr https://gitlab.com/graphviz/graphviz/commit/10a132289ffe4ed9a398bebca13cb41c1006bd13 https://gitlab.com/graphviz/graphviz/commit/495f781f91dca1fb165bbaa6abc0ced1c09535c8 @ Maintainer(s): Please state when you are ready for stabilization.
Can we start stabilisation, please?
ia64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f88f001a4f08ceeccaf49be8995af651e1f6930 commit 7f88f001a4f08ceeccaf49be8995af651e1f6930 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-01-14 12:33:32 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-01-14 12:42:44 +0000 media-gfx/graphviz: stable 2.40.1-r1 for sparc Bug: https://bugs.gentoo.org/530736 Package-Manager: Portage-2.3.13, Repoman-2.3.3 RepoMan-Options: --include-arches="sparc" media-gfx/graphviz/graphviz-2.40.1-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
amd64 stable
Stable on alpha.
arm stable
x86 stable
ping hppa, powerpc
ppc/ppc64 stable
arm64 has never had stable keywords on graphviz yet, unCCing.
hppa stable
Downgraded to B3. @maintainers, please remove the vulnerable versions
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4977eed9116840c35a0ea65e521bf995e5a15f2 commit b4977eed9116840c35a0ea65e521bf995e5a15f2 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-03 15:42:07 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-03 18:13:02 +0000 media-gfx/graphviz: drop vulnerable ebuild and local use Bug: https://bugs.gentoo.org/530736 Package-Manager: Portage-2.3.27, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/7791 media-gfx/graphviz/Manifest | 1 - media-gfx/graphviz/graphviz-2.38.0-r1.ebuild | 267 -------------------------- media-gfx/graphviz/graphviz-2.40.1.ebuild | 275 --------------------------- media-gfx/graphviz/metadata.xml | 1 - 4 files changed, 544 deletions(-)}
Tree is clean. GLSA Vote: No