Bug 1050871 - (CVE-2014-1235) CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978
CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140108,reported=2...
: Security
Depends On: 1050873 1050874 1050875
Blocks: 1049172
  Show dependency treegraph
 
Reported: 2014-01-09 04:38 EST by Ratul Gupta
Modified: 2015-07-31 03:14 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-27 01:56:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2014-01-09 04:38:43 EST
Graphviz, a collection of tools for the manipulation and layout of graphs, was recently reported to be affected by a buffer overflow vulnerability, which seem to have introduced in the fix for CVE-2014-0978.

References:
http://seclists.org/oss-sec/2014/q1/46

Commit:
https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750
Comment 2 Ratul Gupta 2014-01-09 04:40:57 EST
Created graphviz tracking bugs for this issue:

Affects: fedora-all [bug 1050873]
Affects: epel-5 [bug 1050874]
Comment 5 Vincent Danen 2014-01-09 15:26:48 EST
This issue would affect graphviz in Fedora and EPEL testing because they would have used the initial patch for CVE-2014-0978.  It does not affect Red Hat Enterprise Linux 6.


Statement:

Not vulnerable. This issue did not affect the versions of graphviz as shipped with Red Hat Enterprise Linux 6 as it did not include the patch that introduced this flaw.
Comment 7 Fedora Update System 2014-02-11 14:16:03 EST
graphviz-2.12-10.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-02-11 17:59:34 EST
graphviz-2.34.0-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-02-11 18:01:37 EST
graphviz-2.30.1-12.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2015-05-20 07:14:03 EDT
This is mitigated by FORTIFY_SOURCE to an application abort (for further explanation see bug 1049165 comment 21 for the original CVE-2014-0978).  Hence reducing impact rating.

Note You need to log in before you can comment on or make changes to this bug.