Red Hat Bugzilla – Bug 1050871
CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978
Last modified: 2015-07-31 03:14:35 EDT
Graphviz, a collection of tools for the manipulation and layout of graphs, was recently reported to be affected by a buffer overflow vulnerability, which seem to have introduced in the fix for CVE-2014-0978.
Created graphviz tracking bugs for this issue:
Affects: fedora-all [bug 1050873]
Affects: epel-5 [bug 1050874]
This issue would affect graphviz in Fedora and EPEL testing because they would have used the initial patch for CVE-2014-0978. It does not affect Red Hat Enterprise Linux 6.
Not vulnerable. This issue did not affect the versions of graphviz as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.
graphviz-2.12-10.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
graphviz-2.34.0-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
graphviz-2.30.1-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This is mitigated by FORTIFY_SOURCE to an application abort (for further explanation see bug 1049165 comment 21 for the original CVE-2014-0978). Hence reducing impact rating.