tags 729273 + pending
thanks
Hi,
I have a fix for this in git which is more or less ready, expect that
the repo is on Alioth which is down right now. I'll see about getting
it uploaded as soon as it is operational again.
Cheers,
David.
On 11/11/13 02:23, Sang Kil Cha wrote:
> Package: graphviz
> Version: 2.26.3-14
> Severity: grave
> Tags: security
> Justification: user security hole
>
> dijkstra (also nop) has a buffer overflow vulnerability. A PoC file is
> attached.
>
> command line to reproduce:
> $ /usr/bin/dijkstra a < foo
>
> or
>
> $ /usr/bin/nop foo
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb)
>
>
>
>
> -- System Information:
> Debian Release: 7.1
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.2.0-3-686-pae (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages graphviz depends on:
> ii libc6 2.13-38
> ii libcdt4 2.26.3-14
> ii libcgraph5 2.26.3-14
> ii libexpat1 2.1.0-1
> ii libgd2-xpm 2.0.36~rc1~dfsg-6.1
> ii libgraph4 2.26.3-14
> ii libgvc5 2.26.3-14
> ii libgvpr1 2.26.3-14
> ii libx11-6 2:1.5.0-1+deb7u1
> ii libxaw7 2:1.0.10-2
> ii libxmu6 2:1.1.1-1
> ii libxt6 1:1.1.3-1+deb7u1
>
> Versions of packages graphviz recommends:
> ii ttf-liberation 1.07.2-6
>
> Versions of packages graphviz suggests:
> pn graphviz-doc <none>
> ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.2
>
> -- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
