CVE-2019-9904 (https://nvd.nist.gov/vuln/detail/CVE-2019-9904): An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
Commit that should fix this issue: https://gitlab.com/graphviz/graphviz/-/commit/360ff9ef3a1829edbbf6f27b6b3543cc40b2773b
(In reply to Azamat H. Hackimov from comment #1) > Commit that should fix this issue: > https://gitlab.com/graphviz/graphviz/-/commit/ > 360ff9ef3a1829edbbf6f27b6b3543cc40b2773b Was this ever an issue? Seems like maintainer couldn't reproduce on Linux and the tested environment was Windows.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b762a11ed8579ad0de77bc9f2873026bb3505696 commit b762a11ed8579ad0de77bc9f2873026bb3505696 Author: David Seifert <soap@gentoo.org> AuthorDate: 2021-04-24 11:01:04 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2021-04-24 11:01:04 +0000 media-gfx/graphviz: Bump to 2.47.1 Bug: https://bugs.gentoo.org/684844 Closes: https://bugs.gentoo.org/723286 Closes: https://bugs.gentoo.org/770067 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: David Seifert <soap@gentoo.org> media-gfx/graphviz/Manifest | 1 + .../graphviz/files/graphviz-2.47.1-bashisms.patch | 12 + media-gfx/graphviz/graphviz-2.47.1.ebuild | 277 +++++++++++++++++++++ 3 files changed, 290 insertions(+)
Thanks! Please proceed with stabilization when ready.
* CVE-2020-18032 Description: "Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component." Bug: https://gitlab.com/graphviz/graphviz/-/issues/1700
Ping
As java seems to be ruled out should be good to go.
amd64 done
ppc64 done
arm64 done
arm done
x86 done
Looking good on ppc. # cat graphviz-684844.report USE tests started on So 9. Mai 13:46:42 CEST 2021 FEATURES=' test' USE='' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo -devil -doc examples -gtk gts -guile lasi nls pdf perl -postscript -python -qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo -devil doc -examples -gtk gts guile -lasi nls -pdf perl -postscript -python qt5 -ruby -svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk gts guile lasi -nls -pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo devil -doc examples -gtk -gts guile -lasi nls pdf -perl -postscript -python qt5 ruby svg -tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc examples -gtk gts guile lasi -nls -pdf perl -postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk -gts guile lasi -nls pdf perl postscript -python -qt5 -ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo devil -doc -examples gtk gts -guile -lasi nls -pdf -perl -postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc -examples -gtk gts guile -lasi -nls -pdf -perl postscript -python -qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil doc examples -gtk -gts -guile -lasi -nls -pdf perl -postscript -python qt5 ruby -svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='X cairo devil -doc -examples -gtk gts guile lasi -nls pdf -perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo devil doc examples gtk -gts guile lasi -nls pdf perl -postscript -python qt5 -ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 USE='-X cairo -devil -doc examples gtk gts guile -lasi nls -pdf perl -postscript -python qt5 ruby svg tcl' succeeded for =media-gfx/graphviz-2.47.1 revdep tests started on So 9. Mai 15:17:35 CEST 2021 FEATURES=' test' USE='dot' succeeded for app-doc/doxygen FEATURES=' test' USE='graphviz' succeeded for dev-util/quilt FEATURES=' test' USE='graphviz' succeeded for media-gfx/imagemagick FEATURES=' test' USE='' succeeded for dev-python/pydot FEATURES=' test' USE='' succeeded for dev-python/objgraph FEATURES=' test' USE='valadoc' succeeded for dev-lang/vala FEATURES=' test' USE='' succeeded for dev-tex/dot2tex FEATURES=' test' USE='' succeeded for dev-python/pygraphviz FEATURES=' test' USE='' succeeded for media-gfx/xdot
ppc done
(In reply to ernsteiswuerfel from comment #13) > Looking good on ppc. > Thank you!
hppa/sparc stable
New GLSA request filed.
Unable to check for sanity: > no match for package: media-gfx/graphviz-2.47.1
This issue was resolved and addressed in GLSA 202107-04 at https://security.gentoo.org/glsa/202107-04 by GLSA coordinator John Helmert III (ajak).