Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682522 (CVE-2018-10196) - <media-gfx/graphviz-2.42.1: NULL pointer dereference vulnerability in the rebuild_vlists (CVE-2018-10196)
Summary: <media-gfx/graphviz-2.42.1: NULL pointer dereference vulnerability in the reb...
Status: RESOLVED FIXED
Alias: CVE-2018-10196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/graphviz/graphviz/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-04 12:33 UTC by Pacho Ramos
Modified: 2020-04-26 03:27 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/graphviz-2.42.1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2019-04-04 12:33:52 UTC
Description

NULL pointer dereference vulnerability in the rebuild_vlists function in
lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote
attackers to cause a denial of service (application crash) via a crafted
file.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10196
Bugs
https://gitlab.com/graphviz/graphviz/issues/1367
https://issuetracker.google.com/issues/77810342
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898841
Comment 1 Andreas Sturmlechner gentoo-dev 2019-06-29 19:54:59 UTC
Fixed upstream in git master the same day: https://gitlab.com/graphviz/graphviz/commit/8375908cba04be37f571abd1519b04286d3655fa
Comment 2 Larry the Git Cow gentoo-dev 2019-09-14 14:59:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f430eaf4ff2738fae69c577f0e1eb40429b42d23

commit f430eaf4ff2738fae69c577f0e1eb40429b42d23
Author:     Chris Mayo <aklhfex@gmail.com>
AuthorDate: 2019-08-25 18:56:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-09-14 14:52:24 +0000

    media-gfx/graphviz: version bump to 2.42.1
    
    Bug: https://bugs.gentoo.org/682522
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Chris Mayo <aklhfex@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/12790
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/graphviz/Manifest                        |   1 +
 .../files/graphviz-2.42.1-libgv_python.patch       |  15 ++
 .../graphviz/files/graphviz-2.42.1-math.patch      |  38 +++
 media-gfx/graphviz/graphviz-2.42.1.ebuild          | 283 +++++++++++++++++++++
 4 files changed, 337 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev 2019-10-27 23:21:47 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-28 07:41:41 UTC
amd64 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:52:49 UTC
arm stable
Comment 6 Rolf Eike Beer archtester 2019-11-02 16:33:32 UTC
hppa stable
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-11-07 00:48:47 UTC
arm64 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-08 08:34:38 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-11-12 10:13:33 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-11-12 10:39:13 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-11-12 16:02:43 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-11-13 11:29:17 UTC
ia64 stable
Comment 13 Matt Turner gentoo-dev 2019-11-17 07:21:48 UTC
alpha stable

all arches stable
Comment 14 Andreas Sturmlechner gentoo-dev 2019-11-25 16:39:40 UTC
Btw, cleanup done in git commit c60d0ab2d049b8a8cb579f4ac6c5da2e14a9a30c
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 19:57:20 UTC
(In reply to Andreas Sturmlechner from comment #14)
> Btw, cleanup done in git commit c60d0ab2d049b8a8cb579f4ac6c5da2e14a9a30c

Thanks.
Comment 16 NATTkA bot gentoo-dev 2020-04-06 15:15:45 UTC
Unable to check for sanity:

> no match for package: media-gfx/graphviz-2.42.1
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:27:23 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].