Bug 1167866 (CVE-2014-9157)
Summary: | CVE-2014-9157 graphviz: format string vulnerability in yyerror() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alex, carnil, jskarvad, tremble, vkaigoro |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-05-20 11:20:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1167868, 1167869 | ||
Bug Blocks: | 1167867 |
Description
Vasyl Kaigorodov
2014-11-25 14:30:54 UTC
Created graphviz tracking bugs for this issue: Affects: fedora-all [bug 1167868] Affects: epel-5 [bug 1167869] (In reply to Vasyl Kaigorodov from comment #1) > > Affects: epel-5 [bug 1167869] There is: scan.l: agerror(AGERROR_SYNTAX, agxbuse(&xb)); By looking into agerror implementation: AGERROR_SYNTAX == 1 # agraph.h Message[1] == "%s" # agerror.c agerror.c: void agerror(int code, char *str) { fprintf(stderr, Message[code], str); ... Could you recheck the epel-5 vulnerability please? This was assigned CVE-2014-9157: http://seclists.org/oss-sec/2014/q4/872 graphviz-2.34.0-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. graphviz-2.38.0-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. graphviz-2.30.1-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. In Red Hat Enterprise Linux, this issue is mitigated by the FORTIFY_SOURCE hardening feature. It prevents this issue from being exploitable for code execution. Malicious format string can cause an unexpected termination of affected application (such us some of the graphviz command line tools, or other applications using graphviz's libcgraph library). It may also lead to disclosure of portions of process memory, if attack providing inputs can also see produced error messages. Upstream pull request with additional agerr() format string fixes: https://github.com/ellson/graphviz/pull/50 As this is mitigated by the FORTIFY_SOURCE, lowering impact rating accordingly. We are no longer planning to correct this in future updates of affected already released products. Statement: This issue affects the versions of the graphviz package as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and therefore it is not planned to be addressed in future updates. |