|Summary:||CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978|
|Product:||[Other] Security Response||Reporter:||Ratul Gupta <ratulg>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||alexl, jkurik, jskarvad, pfrields, tremble|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-01-27 06:56:24 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1050873, 1050874, 1050875|
Description Ratul Gupta 2014-01-09 09:38:43 UTC
Graphviz, a collection of tools for the manipulation and layout of graphs, was recently reported to be affected by a buffer overflow vulnerability, which seem to have introduced in the fix for CVE-2014-0978. References: http://seclists.org/oss-sec/2014/q1/46 Commit: https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750
Comment 2 Ratul Gupta 2014-01-09 09:40:57 UTC
Created graphviz tracking bugs for this issue: Affects: fedora-all [bug 1050873] Affects: epel-5 [bug 1050874]
Comment 5 Vincent Danen 2014-01-09 20:26:48 UTC
This issue would affect graphviz in Fedora and EPEL testing because they would have used the initial patch for CVE-2014-0978. It does not affect Red Hat Enterprise Linux 6. Statement: Not vulnerable. This issue did not affect the versions of graphviz as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.
Comment 7 Fedora Update System 2014-02-11 19:16:03 UTC
graphviz-2.12-10.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-02-11 22:59:34 UTC
graphviz-2.34.0-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-02-11 23:01:37 UTC
graphviz-2.30.1-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.