Bug#734745: marked as done (graphviz: Multiple security issues)

Fri, 17 Jan 2014 13:39:32 -0800 

Your message dated Fri, 17 Jan 2014 21:36:03 +0000
with message-id <e1w4h59-00068i...@franck.debian.org>
and subject line Bug#734745: fixed in graphviz 2.26.3-16.1
has caused the Debian Bug report #734745,
regarding graphviz: Multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
734745: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734745
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: graphviz
Severity: grave
Tags: security
Justification: user security hole

Multiple security issues have been reported in Graphviz:

CVE-2014-0978:
https://bugs.gentoo.org/show_bug.cgi?id=497274
https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a

CVE-2014-1235:
https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750

CVE-2014-1243:
https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff

Can you also prepare updated packages for oldstable|stable-security?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Source: graphviz
Source-Version: 2.26.3-16.1

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Jan 2014 14:37:45 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-perl libgv-php5 libgv-python 
libgv-ruby libgv-tcl libgraph4 libcgraph5 libcdt4 libpathplan4 libgvc5 
libgvc5-plugins-gtk libgvpr1 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all amd64
Version: 2.26.3-16.1
Distribution: unstable
Urgency: medium
Maintainer: David Claughton <d...@eclecticdave.com>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt4    - rich set of graph drawing tools - cdt library
 libcgraph5 - rich set of graph drawing tools - cgraph library
 libgraph4  - rich set of graph drawing tools - graph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - PHP5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc5    - rich set of graph drawing tools - gvc library
 libgvc5-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr1   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 734745 734804
Changes: 
 graphviz (2.26.3-16.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add CVE-2014-1235.patch patch.
     CVE-2014-1235: buffer overflow vulnerability in yyerror() introduced by
     original fix for CVE-2014-0978. (Closes: #734745)
   * Add CVE-2014-1236.patch patch.
     CVE-2014-1236: buffer overflow from user input (the regexp in chkNum
     would accept arbitrary long digit list) (Closes: #734745)
   * Enable hardened build flags.
     Thanks to Moritz Muehlenhoff <j...@debian.org> (Closes: #734804)
   * Add fix-missing-format-string.patch patch.
     Fixes missing format strings for printf and fprintf calls.
Checksums-Sha1: 
 8859d3b7ec311a42ab1cecab9e71ebf844ffed92 3252 graphviz_2.26.3-16.1.dsc
 a3fd95b291426e19a0350d944074cda1951b7452 55041 
graphviz_2.26.3-16.1.debian.tar.gz
 b2b4ae7d5eefbb85670e4e435d3365ee8c7d70ee 2306676 
graphviz-doc_2.26.3-16.1_all.deb
 73c185899dfab1e3f4733802c32cdf03d7a5bc61 47842 graphviz-dev_2.26.3-16.1_all.deb
 61ba959f9dff97ca9d9f8f224095cb6423865cae 308186 graphviz_2.26.3-16.1_amd64.deb
 8147430e0091e3d19a809f979b203c43e60ad6d8 65758 
libgv-guile_2.26.3-16.1_amd64.deb
 b21d9312f0adf6c63b898133f45996984d030c74 74558 libgv-lua_2.26.3-16.1_amd64.deb
 6509455e59fe4a4e02bf6da04d84f6629400e3e6 80340 libgv-perl_2.26.3-16.1_amd64.deb
 d105e88943d71277fa88b140d06d70449e6fa01a 71162 libgv-php5_2.26.3-16.1_amd64.deb
 013033fcaa8b1c8bf34c306d20dd96dc96fa5c77 74254 
libgv-python_2.26.3-16.1_amd64.deb
 2e141d472a61334457772eec6819cf075a1ccf25 68962 libgv-ruby_2.26.3-16.1_amd64.deb
 43d66d60c13f9e19c68e97369092642bd8cd0d4c 525666 libgv-tcl_2.26.3-16.1_amd64.deb
 98d040f22073c6f5bd09d10cb92f48ffd6f8d2b7 68646 libgraph4_2.26.3-16.1_amd64.deb
 4f24c9601f9c7ea077171fdfbca9b75e36c9b062 79594 libcgraph5_2.26.3-16.1_amd64.deb
 97ec1e0ca283c72238dd49b6b71fb363478a5dab 57622 libcdt4_2.26.3-16.1_amd64.deb
 b1194def7c583f3c82c1e3df75fa8862f70c2867 61850 
libpathplan4_2.26.3-16.1_amd64.deb
 b41c053328f76070937f568151d6fd6f86e80dc0 435724 libgvc5_2.26.3-16.1_amd64.deb
 4c99df38aa49e530b10e0e6718b7be90271477f8 58234 
libgvc5-plugins-gtk_2.26.3-16.1_amd64.deb
 238ee29246a9e5f43c94e8c73c205c1924fb0637 204924 libgvpr1_2.26.3-16.1_amd64.deb
 30903eceeb6bc4dab5211a74d94c9b534bce012d 52502 libxdot4_2.26.3-16.1_amd64.deb
 3f464930aed4dd8646095e15807c001daade25ad 97440 
libgraphviz-dev_2.26.3-16.1_amd64.deb
Checksums-Sha256: 
 a6d902cefb1d808f664efed09cf74c6874d77d666c70e77b550da4d39e6dea11 3252 
graphviz_2.26.3-16.1.dsc
 4b0e9ed81c3a39b54984091d64a51b957082723187362118086465cd95ea1aba 55041 
graphviz_2.26.3-16.1.debian.tar.gz
 e52b7039e60bbd9d6f21828e2f8594f89e69dd01ffcbe1e55e01a07475a33330 2306676 
graphviz-doc_2.26.3-16.1_all.deb
 2ea127d1b6ccc20161374713ec1b79903462a03bfd9d22d6c94295c5378b6f61 47842 
graphviz-dev_2.26.3-16.1_all.deb
 cb266e7da6fb88dc3434946831027027c6bcb164a6f53d0a8687adc01af0eeff 308186 
graphviz_2.26.3-16.1_amd64.deb
 2dfad7ad4bc466e69b653d6b4f409ce4020770206195e1fefb58dba500f819f1 65758 
libgv-guile_2.26.3-16.1_amd64.deb
 387632d8b95cdcd548d468741ae6c2f026c44add5b8765fc98cc848eab92f98d 74558 
libgv-lua_2.26.3-16.1_amd64.deb
 2e58cac2443b6e2532ca93035dd226bd27d84aebafbc74503722fb9d4d972a66 80340 
libgv-perl_2.26.3-16.1_amd64.deb
 fc711bfc9ed28de32fc4b8bb0b09f0cd194de824118c8c8071b4abc53eeca279 71162 
libgv-php5_2.26.3-16.1_amd64.deb
 d85e0378adf1f465b4d979bdaaf261f649cfdb0bd92faaa94136703bb0d12736 74254 
libgv-python_2.26.3-16.1_amd64.deb
 2a289bf8f8e98a2d032c1c3134ad8120f1e9f027fbec74c54e612bd80ede8e4d 68962 
libgv-ruby_2.26.3-16.1_amd64.deb
 0c20978c3f46fa4715ee395a3b6f9ee28a095c866e197acef41d4d6774524f1b 525666 
libgv-tcl_2.26.3-16.1_amd64.deb
 a5908f31163388b6fd6a5f01c87c74c7bac85dd9196973043246fbcafe5a4007 68646 
libgraph4_2.26.3-16.1_amd64.deb
 c1da9b0931115aa2ebf3ccc56352c4b60941b2d13cb82810a0d943fec3eaf7e4 79594 
libcgraph5_2.26.3-16.1_amd64.deb
 18bf518f3c30df1aa05fbdf212e0aace97cd1793256792886189ff5b01877fc5 57622 
libcdt4_2.26.3-16.1_amd64.deb
 3b8a8ef6593d4edfcc72b9d2537d078f8cdaab17fe1341d8b31e19013aff4462 61850 
libpathplan4_2.26.3-16.1_amd64.deb
 1f769c463fa882af9c74064843865c01da0c58fbcceb9dceacc801347024129c 435724 
libgvc5_2.26.3-16.1_amd64.deb
 2facf78249338a75f3f5de131e1efe2ecac23edb92d6475b8a546e484c7593e5 58234 
libgvc5-plugins-gtk_2.26.3-16.1_amd64.deb
 9e9b2862002fbbc0e382b64f425a3be0b22806cc2cd772fb6526ed3246a2ffe7 204924 
libgvpr1_2.26.3-16.1_amd64.deb
 342189a177da445c864a157aee71fa6f06382e285628976873dc2a2ad5366574 52502 
libxdot4_2.26.3-16.1_amd64.deb
 560e97f7621bb6508494cbfb61708527507a3cbf6ac474e39359aeb59922baec 97440 
libgraphviz-dev_2.26.3-16.1_amd64.deb
Files: 
 4abc7efd26f50d214738dccfe531d80a 3252 graphics optional 
graphviz_2.26.3-16.1.dsc
 fdd970fc14a8945aaf1fa131db200600 55041 graphics optional 
graphviz_2.26.3-16.1.debian.tar.gz
 7148df9f2615e8730e83b70bd4d63716 2306676 doc optional 
graphviz-doc_2.26.3-16.1_all.deb
 e7b55b3a04b37b32f35e414146a2abb8 47842 devel optional 
graphviz-dev_2.26.3-16.1_all.deb
 6830457ca2ddda9fe3d7d2aaa88d386a 308186 graphics optional 
graphviz_2.26.3-16.1_amd64.deb
 b2844c3095d4f9bcc8780f981e515fe9 65758 interpreters optional 
libgv-guile_2.26.3-16.1_amd64.deb
 1f8a3c395cbd588902d93907c9ee988f 74558 interpreters optional 
libgv-lua_2.26.3-16.1_amd64.deb
 1ee81e46fd37455327598df3542972a6 80340 perl optional 
libgv-perl_2.26.3-16.1_amd64.deb
 21d8a24a6d4659a987f778329f3b7b50 71162 php optional 
libgv-php5_2.26.3-16.1_amd64.deb
 c0f25da5224599201ce7f0dfe5b0c9e9 74254 python optional 
libgv-python_2.26.3-16.1_amd64.deb
 081a51435aff627f71c6faeb5ec1a9d3 68962 ruby optional 
libgv-ruby_2.26.3-16.1_amd64.deb
 0437af12f37044e683f43fdb80d6d67f 525666 interpreters optional 
libgv-tcl_2.26.3-16.1_amd64.deb
 6fd0d1ba48a13dbd0bad9ae4e7ad7088 68646 libs optional 
libgraph4_2.26.3-16.1_amd64.deb
 4b8ac042e6ec92fd5e5c68c5907b3cae 79594 libs optional 
libcgraph5_2.26.3-16.1_amd64.deb
 808735ee55893169bc388ac0cd82fe05 57622 libs optional 
libcdt4_2.26.3-16.1_amd64.deb
 cd3ab41e46e78c9469cb398e8986af56 61850 libs optional 
libpathplan4_2.26.3-16.1_amd64.deb
 d95d0b8c874fa36c8966242a057de59c 435724 libs optional 
libgvc5_2.26.3-16.1_amd64.deb
 7958278b2e29a373c99d994f0ecb57ee 58234 libs optional 
libgvc5-plugins-gtk_2.26.3-16.1_amd64.deb
 7bb03c958e91a03afae483b106b92ea9 204924 libs optional 
libgvpr1_2.26.3-16.1_amd64.deb
 be299c84bf874f40f4e05386b2fe8a44 52502 libs optional 
libxdot4_2.26.3-16.1_amd64.deb
 118c9d000c997c0be8e9d6ee94b3bdb8 97440 libdevel optional 
libgraphviz-dev_2.26.3-16.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJS0sAMAAoJEAVMuPMTQ89EO2QP/3k+5aDuCOV8jH378UmE309W
cvW3YblqcYMWunIpYX07+GNkff6tCIyzLe3Js8w9z9Wj0LXk0WbV6Bq/byEoQ3+8
QEoWC16LeakgzGRd5QLHlZfe8QN6ezLWrsSROuCYZiyZl2ycrnKkTq0TVkkmFFYA
pPJOxmyqf7fPsLWp652r/qtidSO6ncCHhkx+gg4gUUOXVtU+QpOlADuN+gtR9G0n
KoJoblYckp5ydxstMtlezNr6rjOme0a7Ay/A0eZBHvmYYmfpL4y3kqRMQjmFrJGb
5+9FVsKlV2jym6uE6gzA3NYJ/IcwbPDQ0JjGnwlkYDefaT0uywffziBfZkmbfpBn
uMYc8MwXTD/AwzVXMjNN2Usrhn/F8tpPAwe+TKlXui1BSm1KRkmwxPu65ULd1tZN
BYODo+nlizdm9ByEcMcr/eLxSVpWl4FKN2BoASHU98dMCY6sNsY27aWoQpomYfeE
ieCGAB92ZRfa6s5e+4e0sNCT4r5dihGSaL+9KhNhoMRqEgqdIj4uVPsy7rBSviQV
Hz8m4AX1tua/fwYVDX/1GdaUdnh702wGea6fagudgQKWM1AdfxWh/2MiMAPDvt/R
bcJAmQPAWPN1Fyuzc9/3IGJF0pIicG9E7keJTVOIEoqyJRirjT5mrxVcheSGx3na
sgRjQ7E8dJSeo+oOcHH3
=IFtn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to