Roee Hay reported a buffer overflow affecting graphviz's graph parser. Further details from Roee: Description A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. parser.y (Graphviz 2.20.2): 34: static Agraph_t *Gstack[32]; 35: static int GSP; 45: static void push_subg(Agraph_t *g) 46: { 47: G = Gstack[GSP++] = g; 48: } As it can be seen, no bounds check is performed by the push_subg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_t *) elements. Impact/Severity A malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz. References: http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html http://bugs.gentoo.org/show_bug.cgi?id=240636 Upstream patch: https://bugzilla.redhat.com/attachment.cgi?id=319712
CVE id CVE-2008-4555 was assigned to this issue: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements.