Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530736 (CVE-2014-9157) - <media-gfx/graphviz-2.40.1: format string (CVE-2014-9157)
Summary: <media-gfx/graphviz-2.40.1: format string (CVE-2014-9157)
Status: RESOLVED FIXED
Alias: CVE-2014-9157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q4/784
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 638026
  Show dependency tree
 
Reported: 2014-11-26 09:07 UTC by Agostino Sarubbo
Modified: 2018-04-03 18:14 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/graphviz-2.40.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-26 09:07:16 UTC
From ${URL} :

A format string vulnerability has been found in `graphviz'.
The fix commit is here:
https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-07 18:46:18 UTC
CVE-2014-9157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9157):
  Format string vulnerability in the yyerror function in lib/cgraph/scan.l in
  Graphviz allows remote attackers to have unspecified impact via format
  string specifiers in unknown vector, which are not properly handled in an
  error string.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-12-28 13:43:12 UTC
Ping Maintainers:

Looks like it is patched by a few distros:
Debian:
https://security-tracker.debian.org/tracker/CVE-2014-9157

RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=1167868

Please advise what you would like to do.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-02-21 19:25:47 UTC
Does 2.26.3-r4 fix this bug?
Comment 4 Arfrever Frehtes Taifersar Arahesis 2016-08-16 12:40:11 UTC
Fix was made after release of Graphviz 2.38.0.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 19:57:36 UTC
@ Maintainer(s): Upstream hasn't released a new version since 2014. Please decide to do a snapshot release.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-01-03 02:22:57 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #4)
> Fix was made after release of Graphviz 2.38.0.

The fix is untagged upstream, but looks like they were targeting the 2.40 release.  Can the graphics team backport the patch?
Comment 9 Andreas Sturmlechner gentoo-dev 2018-01-07 13:45:23 UTC
Can we start stabilisation, please?
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-13 20:52:42 UTC
ia64 stable
Comment 11 Larry the Git Cow gentoo-dev 2018-01-14 12:42:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f88f001a4f08ceeccaf49be8995af651e1f6930

commit 7f88f001a4f08ceeccaf49be8995af651e1f6930
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-01-14 12:33:32 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-01-14 12:42:44 +0000

    media-gfx/graphviz: stable 2.40.1-r1 for sparc
    
    Bug: https://bugs.gentoo.org/530736
    Package-Manager: Portage-2.3.13, Repoman-2.3.3
    RepoMan-Options: --include-arches="sparc"

 media-gfx/graphviz/graphviz-2.40.1-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 12 Agostino Sarubbo gentoo-dev 2018-01-14 15:31:08 UTC
amd64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-28 17:00:37 UTC
Stable on alpha.
Comment 14 Markus Meier gentoo-dev 2018-02-05 21:18:04 UTC
arm stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-07 06:37:41 UTC
x86 stable
Comment 16 Andreas Sturmlechner gentoo-dev 2018-02-27 14:55:47 UTC
ping hppa, powerpc
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-27 20:28:58 UTC
ppc/ppc64 stable
Comment 18 Mart Raudsepp gentoo-dev 2018-03-03 01:54:11 UTC
arm64 has never had stable keywords on graphviz yet, unCCing.
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-13 22:33:53 UTC
hppa stable
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-03-28 23:20:21 UTC
Downgraded to B3.

@maintainers, please remove the vulnerable versions
Comment 21 Larry the Git Cow gentoo-dev 2018-04-03 18:13:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4977eed9116840c35a0ea65e521bf995e5a15f2

commit b4977eed9116840c35a0ea65e521bf995e5a15f2
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-03 15:42:07 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-03 18:13:02 +0000

    media-gfx/graphviz: drop vulnerable ebuild and local use
    
    Bug: https://bugs.gentoo.org/530736
    Package-Manager: Portage-2.3.27, Repoman-2.3.9
    Closes: https://github.com/gentoo/gentoo/pull/7791

 media-gfx/graphviz/Manifest                  |   1 -
 media-gfx/graphviz/graphviz-2.38.0-r1.ebuild | 267 --------------------------
 media-gfx/graphviz/graphviz-2.40.1.ebuild    | 275 ---------------------------
 media-gfx/graphviz/metadata.xml              |   1 -
 4 files changed, 544 deletions(-)}
Comment 22 Aaron Bauman (RETIRED) gentoo-dev 2018-04-03 18:14:13 UTC
Tree is clean.

GLSA Vote: No