Bug 1966272 (CVE-2020-18032) - CVE-2020-18032 graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c
Summary: CVE-2020-18032 graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-18032
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1965405 1966274 1967690 1967691
Blocks: 1966273
TreeView+ depends on / blocked
 
Reported: 2021-05-31 18:45 UTC by Pedro Sampaio
Modified: 2022-04-17 21:25 UTC (History)
3 users (show)

Fixed In Version: graphviz 2.46.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in graphviz. A wrong assumption in record_init function leads to an off-by-one write in parse_reclbl function, allowing an attacker who can provide graph input to potentially execute code when the label of a node is invalid and shorter than two characters. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-11-09 19:22:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4256 0 None None None 2021-11-09 17:57:23 UTC

Description Pedro Sampaio 2021-05-31 18:45:10 UTC 
A Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1963395
Comment 1 Pedro Sampaio 2021-05-31 18:51:33 UTC 
References:

https://gitlab.com/graphviz/graphviz/-/issues/1700
https://lists.debian.org/debian-lts-announce/2021/05/msg00014.html
https://www.debian.org/security/2021/dsa-4914
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGY2IGARE6RZHTF2UEZEWLMQCDILFK6A/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5PQPHJHPU46FK3R5XBP3XDT4X37HMPC/
Comment 2 Pedro Sampaio 2021-05-31 18:52:45 UTC 
Created graphviz tracking bugs for this issue:

Affects: fedora-all [bug 1966274]
Comment 3 Riccardo Schirone 2021-06-03 15:29:25 UTC 
On RHEL8:
$ sudo dnf repoquery --alldeps --whatrequires '*graphviz*'
Updating Subscription Management repositories.
Last metadata expiration check: 1:42:14 ago on Thu 03 Jun 2021 03:33:44 PM CEST.
asciidoc-0:8.6.10-0.5.20180627gitf7c2274.el8.noarch
graphviz-devel-0:2.40.1-39.el8.i686
graphviz-devel-0:2.40.1-39.el8.x86_64
graphviz-devel-0:2.40.1-40.el8.i686
graphviz-devel-0:2.40.1-40.el8.x86_64
graphviz-gd-0:2.40.1-39.el8.i686
graphviz-gd-0:2.40.1-39.el8.x86_64
graphviz-gd-0:2.40.1-40.el8.i686
graphviz-gd-0:2.40.1-40.el8.x86_64
graphviz-python3-0:2.40.1-40.el8.x86_64


On RHEL7:
$ sudo repoquery --alldeps --whatrequires '*graphviz*'
asciidoc-0:8.6.8-5.el7.noarch
graphviz-devel-0:2.30.1-18.el7.i686
graphviz-devel-0:2.30.1-18.el7.x86_64
graphviz-devel-0:2.30.1-19.el7.i686
graphviz-devel-0:2.30.1-19.el7.x86_64
graphviz-devel-0:2.30.1-21.el7.i686
graphviz-devel-0:2.30.1-21.el7.x86_64
graphviz-devel-0:2.30.1-22.el7.i686
graphviz-devel-0:2.30.1-22.el7.x86_64
graphviz-gd-0:2.30.1-18.el7.i686
graphviz-gd-0:2.30.1-18.el7.x86_64
graphviz-gd-0:2.30.1-19.el7.i686
graphviz-gd-0:2.30.1-19.el7.x86_64
graphviz-gd-0:2.30.1-21.el7.i686
graphviz-gd-0:2.30.1-21.el7.x86_64
graphviz-gd-0:2.30.1-22.el7.i686
graphviz-gd-0:2.30.1-22.el7.x86_64
graphviz-guile-0:2.30.1-18.el7.x86_64
graphviz-guile-0:2.30.1-19.el7.x86_64
graphviz-guile-0:2.30.1-21.el7.x86_64
graphviz-guile-0:2.30.1-22.el7.x86_64
graphviz-java-0:2.30.1-18.el7.x86_64
graphviz-java-0:2.30.1-19.el7.x86_64
graphviz-java-0:2.30.1-21.el7.x86_64
graphviz-java-0:2.30.1-22.el7.x86_64
graphviz-lua-0:2.30.1-18.el7.x86_64
graphviz-lua-0:2.30.1-19.el7.x86_64
graphviz-lua-0:2.30.1-21.el7.x86_64
graphviz-lua-0:2.30.1-22.el7.x86_64
graphviz-ocaml-0:2.30.1-18.el7.x86_64
graphviz-ocaml-0:2.30.1-19.el7.x86_64
graphviz-ocaml-0:2.30.1-21.el7.x86_64
graphviz-ocaml-0:2.30.1-22.el7.x86_64
graphviz-perl-0:2.30.1-18.el7.x86_64
graphviz-perl-0:2.30.1-19.el7.x86_64
graphviz-perl-0:2.30.1-21.el7.x86_64
graphviz-perl-0:2.30.1-22.el7.x86_64
graphviz-php-0:2.30.1-18.el7.x86_64
graphviz-php-0:2.30.1-19.el7.x86_64
graphviz-php-0:2.30.1-21.el7.x86_64
graphviz-php-0:2.30.1-22.el7.x86_64
graphviz-python-0:2.30.1-18.el7.x86_64
graphviz-python-0:2.30.1-19.el7.x86_64
graphviz-python-0:2.30.1-21.el7.x86_64
graphviz-python-0:2.30.1-22.el7.x86_64
graphviz-ruby-0:2.30.1-18.el7.x86_64
graphviz-ruby-0:2.30.1-19.el7.x86_64
graphviz-ruby-0:2.30.1-21.el7.x86_64
graphviz-ruby-0:2.30.1-22.el7.x86_64
graphviz-tcl-0:2.30.1-18.el7.i686
graphviz-tcl-0:2.30.1-18.el7.x86_64
graphviz-tcl-0:2.30.1-19.el7.i686
graphviz-tcl-0:2.30.1-19.el7.x86_64
graphviz-tcl-0:2.30.1-21.el7.i686
graphviz-tcl-0:2.30.1-21.el7.x86_64
graphviz-tcl-0:2.30.1-22.el7.i686
graphviz-tcl-0:2.30.1-22.el7.x86_64
ibutils-0:1.5.7-9.el7.x86_64
ibutils-0:1.5.7-12.el7.x86_64
ibutils-0:1.5.7-13.el7.x86_64
ibutils-0:1.5.7-14.el7.x86_64
pprof-0:2.4-7.el7.noarch
pprof-0:2.4-8.el7.noarch
pprof-0:2.6.1-1.el7.noarch
valadoc-0:0.40.8-1.el7.i686
valadoc-0:0.40.8-1.el7.x86_64
valadoc-devel-0:0.40.8-1.el7.i686
valadoc-devel-0:0.40.8-1.el7.x86_64

Within RHEL graphviz is only used for local applications. Moreover, in RHEL8 graphviz-devel is only part of CodeReady Builder, while in RHEL7 it is part of the Optional repository. For these reasons Moderate Impact seems more appropriate even though this is a buffer overflow.
Comment 4 Riccardo Schirone 2021-06-03 15:31:03 UTC 
Upstream patch:
https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
Comment 6 errata-xmlrpc 2021-11-09 17:57:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4256 https://access.redhat.com/errata/RHSA-2021:4256
Comment 7 Product Security DevOps Team 2021-11-09 19:22:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-18032
Note You need to log in before you can comment on or make changes to this bug.