Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684844 (CVE-2019-9904, CVE-2020-18032) - <media-gfx/graphviz-2.47.1: Multiple vulnerabilities (CVE-2019-9904, CVE-2020-18032)
Summary: <media-gfx/graphviz-2.47.1: Multiple vulnerabilities (CVE-2019-9904, CVE-2020...
Status: RESOLVED FIXED
Alias: CVE-2019-9904, CVE-2020-18032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/graphviz/graphviz/...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-01 00:29 UTC by GLSAMaker/CVETool Bot
Modified: 2021-07-05 03:06 UTC (History)
3 users (show)

See Also:
Package list:
media-gfx/graphviz-2.47.1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:29:27 UTC
CVE-2019-9904 (https://nvd.nist.gov/vuln/detail/CVE-2019-9904):
  An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1.
  Stack consumption occurs because of recursive agclose calls in
  lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in
  lib\cgraph\subg.c.
Comment 1 Azamat H. Hackimov 2020-11-08 11:16:36 UTC
Commit that should fix this issue: https://gitlab.com/graphviz/graphviz/-/commit/360ff9ef3a1829edbbf6f27b6b3543cc40b2773b
Comment 2 John Helmert III gentoo-dev Security 2020-11-10 18:03:50 UTC
(In reply to Azamat H. Hackimov from comment #1)
> Commit that should fix this issue:
> https://gitlab.com/graphviz/graphviz/-/commit/
> 360ff9ef3a1829edbbf6f27b6b3543cc40b2773b

Was this ever an issue? Seems like maintainer couldn't reproduce on Linux and the tested environment was Windows.
Comment 3 Larry the Git Cow gentoo-dev 2021-04-24 11:01:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b762a11ed8579ad0de77bc9f2873026bb3505696

commit b762a11ed8579ad0de77bc9f2873026bb3505696
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-04-24 11:01:04 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-04-24 11:01:04 +0000

    media-gfx/graphviz: Bump to 2.47.1
    
    Bug: https://bugs.gentoo.org/684844
    Closes: https://bugs.gentoo.org/723286
    Closes: https://bugs.gentoo.org/770067
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-gfx/graphviz/Manifest                        |   1 +
 .../graphviz/files/graphviz-2.47.1-bashisms.patch  |  12 +
 media-gfx/graphviz/graphviz-2.47.1.ebuild          | 277 +++++++++++++++++++++
 3 files changed, 290 insertions(+)
Comment 4 John Helmert III gentoo-dev Security 2021-04-24 16:08:58 UTC
Thanks! Please proceed with stabilization when ready.
Comment 5 Sam James archtester gentoo-dev Security 2021-04-29 19:01:18 UTC
* CVE-2020-18032

Description:
"Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component."

Bug: https://gitlab.com/graphviz/graphviz/-/issues/1700
Comment 6 Sam James archtester gentoo-dev Security 2021-05-06 05:48:21 UTC
Ping
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-05-07 11:19:42 UTC
As java seems to be ruled out should be good to go.
Comment 8 Sam James archtester gentoo-dev Security 2021-05-08 18:40:01 UTC
amd64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-08 18:56:11 UTC
ppc64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-09 01:29:36 UTC
arm64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-09 04:00:36 UTC
arm done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-09 06:00:51 UTC
x86 done
Comment 13 ernsteiswuerfel archtester 2021-05-09 14:18:23 UTC
Looking good on ppc.

 # cat graphviz-684844.report 
USE tests started on So 9. Mai 13:46:42 CEST 2021

FEATURES=' test' USE='' succeeded for =media-gfx/graphviz-2.47.1
USE='X cairo -devil -doc examples -gtk gts -guile lasi nls pdf perl -postscript -python -qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='X cairo -devil doc -examples -gtk gts guile -lasi nls -pdf perl -postscript -python qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil doc examples -gtk gts guile lasi -nls -pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo devil -doc examples -gtk -gts guile -lasi nls pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil -doc examples -gtk gts guile lasi -nls -pdf perl -postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil doc examples -gtk -gts guile lasi -nls pdf perl postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='X cairo devil -doc -examples gtk gts -guile -lasi nls -pdf -perl -postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil -doc -examples -gtk gts guile -lasi -nls -pdf -perl postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil doc examples -gtk -gts -guile -lasi -nls -pdf perl -postscript -python qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='X cairo devil -doc -examples -gtk gts guile lasi -nls pdf -perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo devil doc examples gtk -gts guile lasi -nls pdf perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1
USE='-X cairo -devil -doc examples gtk gts guile -lasi nls -pdf perl -postscript -python qt5 ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1

revdep tests started on So 9. Mai 15:17:35 CEST 2021

FEATURES=' test' USE='dot' succeeded for app-doc/doxygen
FEATURES=' test' USE='graphviz' succeeded for dev-util/quilt
FEATURES=' test' USE='graphviz' succeeded for media-gfx/imagemagick
FEATURES=' test' USE='' succeeded for dev-python/pydot
FEATURES=' test' USE='' succeeded for dev-python/objgraph
FEATURES=' test' USE='valadoc' succeeded for dev-lang/vala
FEATURES=' test' USE='' succeeded for dev-tex/dot2tex
FEATURES=' test' USE='' succeeded for dev-python/pygraphviz
FEATURES=' test' USE='' succeeded for media-gfx/xdot
Comment 14 Sam James archtester gentoo-dev Security 2021-05-09 21:48:32 UTC
ppc done
Comment 15 Sam James archtester gentoo-dev Security 2021-05-10 12:44:50 UTC
(In reply to ernsteiswuerfel from comment #13)
> Looking good on ppc.
> 

Thank you!
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2021-05-11 20:50:16 UTC
hppa/sparc stable
Comment 17 Thomas Deutschmann gentoo-dev Security 2021-05-26 21:11:50 UTC
New GLSA request filed.
Comment 18 NATTkA bot gentoo-dev 2021-07-04 21:00:37 UTC
Unable to check for sanity:

> no match for package: media-gfx/graphviz-2.47.1
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2021-07-05 03:06:52 UTC
This issue was resolved and addressed in
 GLSA 202107-04 at https://security.gentoo.org/glsa/202107-04
by GLSA coordinator John Helmert III (ajak).