Bug 1699848 (CVE-2019-11023) - CVE-2019-11023 graphviz: null pointer dereference in function agroot() in cgraph\obj.c
Summary: CVE-2019-11023 graphviz: null pointer dereference in function agroot() in cgr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1699850 1702446 1702447
Blocks: 1699849
TreeView+ depends on / blocked
 
Reported: 2019-04-15 11:30 UTC by Dhananjay Arunesh
Modified: 2021-10-27 03:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:28:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-04-15 11:30:59 UTC 
The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.

Reference:
https://gitlab.com/graphviz/graphviz/issues/1517
https://research.loginsoft.com/vulnerability/null-pointer-dereference-in-function-agroot/
Comment 1 Dhananjay Arunesh 2019-04-15 11:34:34 UTC 
Created graphviz tracking bugs for this issue:

Affects: fedora-all [bug 1699850]
Comment 6 Marco Benatto 2019-04-24 12:10:45 UTC 
Upstream patch:

https://gitlab.com/graphviz/graphviz/commit/839085f8026afd6f6920a0c31ad2a9d880d97932
Comment 7 Marco Benatto 2019-04-24 12:36:20 UTC 
The graphml2gv application from graphviz suite is a tool used to convert GraphML input into GV format.
This issue relies on the fact graphml currently doesn't fully validate malformated GraphML inputs. An
attacker can take advantage of this weakness by crafting an invalid GraphML representation which leads
graphml2gv to a NULL pointer dereference at agroot() after call agnode() function trying to insert a node
into the graph causing DoS.
Note You need to log in before you can comment on or make changes to this bug.