Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497274 (CVE-2014-0978, CVE-2014-1235, CVE-2014-1236) - <media-gfx/graphviz-2.36.0: "yyerror()" Buffer Overflow Vulnerability (CVE-2014-{0978,1235,1236})
Summary: <media-gfx/graphviz-2.36.0: "yyerror()" Buffer Overflow Vulnerability (CVE-20...
Alias: CVE-2014-0978, CVE-2014-1235, CVE-2014-1236
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve cleanup]
Depends on: 529462 594194
  Show dependency tree
Reported: 2014-01-06 14:55 UTC by Agostino Sarubbo
Modified: 2017-02-10 23:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-06 14:55:18 UTC
From ${URL} :


A vulnerability has been reported in Graphviz, which can be exploited by malicious people to 
compromise a user's system.

The vulnerability is caused due to an error within the "yyerror()" function (lib/cgraph/scan.l) and 
can be exploited to cause a stack-based buffer overflow via a specially crafted file.

The vulnerability is reported in version 2.34.0. Other versions may also be affected.

Fixed in the source code repository.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-01-11 17:53:20 UTC
CVE-2014-1236 (
  Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in
  Graphviz 2.34.0 allows remote attackers to have unspecified impact via
  vectors related to a "badly formed number" and a "long digit list."

CVE-2014-0978 (
  Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in
  Graphviz 2.34.0 allows remote attackers to have unspecified impact via a
  long line in a dot file.
Comment 2 Pacho Ramos gentoo-dev 2016-09-14 13:33:38 UTC
the fixed version was already stabilized
Comment 3 Pacho Ramos gentoo-dev 2017-01-15 10:37:38 UTC
But we cannot clean vulnerable versions until bug 594194 is solved
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 01:52:46 UTC
This fix for CVE-2014-0978 introduced the possible buffer overflow vulnerability that received the name CVE-2014-1235.

Upstream fix:

Fix is present in =media-gfx/graphviz-2.36.0.

New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-02-10 23:20:33 UTC
This issue was resolved and addressed in
 GLSA 201702-06 at
by GLSA coordinator Thomas Deutschmann (whissi).