Bug 1050871 (CVE-2014-1235)

Summary: CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alexl, jkurik, jskarvad, pfrields, tremble
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20140108,reported=20140109,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,cwe=CWE-121,mitigate=fortify,rhel-6/graphviz=notaffected,rhel-7/graphviz=notaffected,fedora-all/graphviz=affected,epel-5/graphviz=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-27 06:56:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1050873, 1050874, 1050875    
Bug Blocks: 1049172    

Description Ratul Gupta 2014-01-09 09:38:43 UTC
Graphviz, a collection of tools for the manipulation and layout of graphs, was recently reported to be affected by a buffer overflow vulnerability, which seem to have introduced in the fix for CVE-2014-0978.

References:
http://seclists.org/oss-sec/2014/q1/46

Commit:
https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750

Comment 2 Ratul Gupta 2014-01-09 09:40:57 UTC
Created graphviz tracking bugs for this issue:

Affects: fedora-all [bug 1050873]
Affects: epel-5 [bug 1050874]

Comment 5 Vincent Danen 2014-01-09 20:26:48 UTC
This issue would affect graphviz in Fedora and EPEL testing because they would have used the initial patch for CVE-2014-0978.  It does not affect Red Hat Enterprise Linux 6.


Statement:

Not vulnerable. This issue did not affect the versions of graphviz as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.

Comment 7 Fedora Update System 2014-02-11 19:16:03 UTC
graphviz-2.12-10.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-02-11 22:59:34 UTC
graphviz-2.34.0-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-02-11 23:01:37 UTC
graphviz-2.30.1-12.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2015-05-20 11:14:03 UTC
This is mitigated by FORTIFY_SOURCE to an application abort (for further explanation see bug 1049165 comment 21 for the original CVE-2014-0978).  Hence reducing impact rating.