A Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component. References: https://bugzilla.redhat.com/show_bug.cgi?id=1963395
References: https://gitlab.com/graphviz/graphviz/-/issues/1700 https://lists.debian.org/debian-lts-announce/2021/05/msg00014.html https://www.debian.org/security/2021/dsa-4914 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGY2IGARE6RZHTF2UEZEWLMQCDILFK6A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5PQPHJHPU46FK3R5XBP3XDT4X37HMPC/
Created graphviz tracking bugs for this issue: Affects: fedora-all [bug 1966274]
On RHEL8: $ sudo dnf repoquery --alldeps --whatrequires '*graphviz*' Updating Subscription Management repositories. Last metadata expiration check: 1:42:14 ago on Thu 03 Jun 2021 03:33:44 PM CEST. asciidoc-0:8.6.10-0.5.20180627gitf7c2274.el8.noarch graphviz-devel-0:2.40.1-39.el8.i686 graphviz-devel-0:2.40.1-39.el8.x86_64 graphviz-devel-0:2.40.1-40.el8.i686 graphviz-devel-0:2.40.1-40.el8.x86_64 graphviz-gd-0:2.40.1-39.el8.i686 graphviz-gd-0:2.40.1-39.el8.x86_64 graphviz-gd-0:2.40.1-40.el8.i686 graphviz-gd-0:2.40.1-40.el8.x86_64 graphviz-python3-0:2.40.1-40.el8.x86_64 On RHEL7: $ sudo repoquery --alldeps --whatrequires '*graphviz*' asciidoc-0:8.6.8-5.el7.noarch graphviz-devel-0:2.30.1-18.el7.i686 graphviz-devel-0:2.30.1-18.el7.x86_64 graphviz-devel-0:2.30.1-19.el7.i686 graphviz-devel-0:2.30.1-19.el7.x86_64 graphviz-devel-0:2.30.1-21.el7.i686 graphviz-devel-0:2.30.1-21.el7.x86_64 graphviz-devel-0:2.30.1-22.el7.i686 graphviz-devel-0:2.30.1-22.el7.x86_64 graphviz-gd-0:2.30.1-18.el7.i686 graphviz-gd-0:2.30.1-18.el7.x86_64 graphviz-gd-0:2.30.1-19.el7.i686 graphviz-gd-0:2.30.1-19.el7.x86_64 graphviz-gd-0:2.30.1-21.el7.i686 graphviz-gd-0:2.30.1-21.el7.x86_64 graphviz-gd-0:2.30.1-22.el7.i686 graphviz-gd-0:2.30.1-22.el7.x86_64 graphviz-guile-0:2.30.1-18.el7.x86_64 graphviz-guile-0:2.30.1-19.el7.x86_64 graphviz-guile-0:2.30.1-21.el7.x86_64 graphviz-guile-0:2.30.1-22.el7.x86_64 graphviz-java-0:2.30.1-18.el7.x86_64 graphviz-java-0:2.30.1-19.el7.x86_64 graphviz-java-0:2.30.1-21.el7.x86_64 graphviz-java-0:2.30.1-22.el7.x86_64 graphviz-lua-0:2.30.1-18.el7.x86_64 graphviz-lua-0:2.30.1-19.el7.x86_64 graphviz-lua-0:2.30.1-21.el7.x86_64 graphviz-lua-0:2.30.1-22.el7.x86_64 graphviz-ocaml-0:2.30.1-18.el7.x86_64 graphviz-ocaml-0:2.30.1-19.el7.x86_64 graphviz-ocaml-0:2.30.1-21.el7.x86_64 graphviz-ocaml-0:2.30.1-22.el7.x86_64 graphviz-perl-0:2.30.1-18.el7.x86_64 graphviz-perl-0:2.30.1-19.el7.x86_64 graphviz-perl-0:2.30.1-21.el7.x86_64 graphviz-perl-0:2.30.1-22.el7.x86_64 graphviz-php-0:2.30.1-18.el7.x86_64 graphviz-php-0:2.30.1-19.el7.x86_64 graphviz-php-0:2.30.1-21.el7.x86_64 graphviz-php-0:2.30.1-22.el7.x86_64 graphviz-python-0:2.30.1-18.el7.x86_64 graphviz-python-0:2.30.1-19.el7.x86_64 graphviz-python-0:2.30.1-21.el7.x86_64 graphviz-python-0:2.30.1-22.el7.x86_64 graphviz-ruby-0:2.30.1-18.el7.x86_64 graphviz-ruby-0:2.30.1-19.el7.x86_64 graphviz-ruby-0:2.30.1-21.el7.x86_64 graphviz-ruby-0:2.30.1-22.el7.x86_64 graphviz-tcl-0:2.30.1-18.el7.i686 graphviz-tcl-0:2.30.1-18.el7.x86_64 graphviz-tcl-0:2.30.1-19.el7.i686 graphviz-tcl-0:2.30.1-19.el7.x86_64 graphviz-tcl-0:2.30.1-21.el7.i686 graphviz-tcl-0:2.30.1-21.el7.x86_64 graphviz-tcl-0:2.30.1-22.el7.i686 graphviz-tcl-0:2.30.1-22.el7.x86_64 ibutils-0:1.5.7-9.el7.x86_64 ibutils-0:1.5.7-12.el7.x86_64 ibutils-0:1.5.7-13.el7.x86_64 ibutils-0:1.5.7-14.el7.x86_64 pprof-0:2.4-7.el7.noarch pprof-0:2.4-8.el7.noarch pprof-0:2.6.1-1.el7.noarch valadoc-0:0.40.8-1.el7.i686 valadoc-0:0.40.8-1.el7.x86_64 valadoc-devel-0:0.40.8-1.el7.i686 valadoc-devel-0:0.40.8-1.el7.x86_64 Within RHEL graphviz is only used for local applications. Moreover, in RHEL8 graphviz-devel is only part of CodeReady Builder, while in RHEL7 it is part of the Optional repository. For these reasons Moderate Impact seems more appropriate even though this is a buffer overflow.
Upstream patch: https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4256 https://access.redhat.com/errata/RHSA-2021:4256
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-18032