Format string vulnerability was reported in graphviz .
Upstream patch is at .
Created graphviz tracking bugs for this issue:
Affects: fedora-all [bug 1167868]
Affects: epel-5 [bug 1167869]
(In reply to Vasyl Kaigorodov from comment #1)
> Affects: epel-5 [bug 1167869]
By looking into agerror implementation:
AGERROR_SYNTAX == 1 # agraph.h
Message == "%s" # agerror.c
void agerror(int code, char *str)
fprintf(stderr, Message[code], str);
Could you recheck the epel-5 vulnerability please?
This was assigned CVE-2014-9157:
graphviz-2.34.0-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
graphviz-2.38.0-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
graphviz-2.30.1-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
In Red Hat Enterprise Linux, this issue is mitigated by the FORTIFY_SOURCE hardening feature. It prevents this issue from being exploitable for code execution. Malicious format string can cause an unexpected termination of affected application (such us some of the graphviz command line tools, or other applications using graphviz's libcgraph library). It may also lead to disclosure of portions of process memory, if attack providing inputs can also see produced error messages.
Upstream pull request with additional agerr() format string fixes:
As this is mitigated by the FORTIFY_SOURCE, lowering impact rating accordingly. We are no longer planning to correct this in future updates of affected already released products.
This issue affects the versions of the graphviz package as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and therefore it is not planned to be addressed in future updates.