Bug#772648: marked as done (graphviz: format string vulnerability (CVE-2014-9157))

[Debian Bug Tracking System]

Your message dated Fri, 12 Dec 2014 09:32:57 +0000
with message-id <e1xzman-00080k...@franck.debian.org>
and subject line Bug#772648: fixed in graphviz 2.26.3-14+deb7u2
has caused the Debian Bug report #772648,
regarding graphviz: format string vulnerability (CVE-2014-9157)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
772648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772648
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: graphviz
Version: 2.38.0-6
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp5q_TKj/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Format string vulnerability may allow attackers to
    cause a denial of service or possibly execute code.
    - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
      lib/cgraph/scan.l yyerror() routine.
    - CVE-2014-9157


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 
'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	1969-12-31 19:00:00.000000000 -0500
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch	2014-12-09 09:09:43.000000000 -0500
@@ -0,0 +1,21 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Author: Emden R. Gansner
+
+---
+ lib/cgraph/scan.l |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/lib/cgraph/scan.l
+===================================================================
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGERR,agxbuse(&xb));
++	agerr(AGERR, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series	2014-09-01 17:13:51.000000000 -0400
+++ graphviz-2.38.0/debian/patches/series	2014-12-09 09:09:43.000000000 -0500
@@ -11,3 +11,4 @@
 reduce-lab-color.patch
 add-libm-to-dot-link.patch
 versioned-plugin-config-file.diff
+CVE-2014-9157.patch

--- End Message ---

--- Begin Message ---

Source: graphviz
Source-Version: 2.26.3-14+deb7u2

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Dec 2014 17:34:32 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-perl libgv-php5 libgv-python 
libgv-ruby libgv-tcl libgraph4 libcgraph5 libcdt4 libpathplan4 libgvc5 
libgvc5-plugins-gtk libgvpr1 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all amd64
Version: 2.26.3-14+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: David Claughton <d...@eclecticdave.com>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description: 
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt4    - rich set of graph drawing tools - cdt library
 libcgraph5 - rich set of graph drawing tools - cgraph library
 libgraph4  - rich set of graph drawing tools - graph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - PHP5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc5    - rich set of graph drawing tools - gvc library
 libgvc5-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr1   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes: 
 graphviz (2.26.3-14+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-9157.patch patch (Closes: #772648)
      Format string vulnerability in the yyerror function in
      lib/cgraph/scan.l in Graphviz allows remote attackers to
      have unspecified impact via format string specifiers in
      unknown vector, which are not properly handled in an
      error string.
Checksums-Sha1: 
 dc4644d559e14d5c85e216fd39cf129413a1f5a0 3402 graphviz_2.26.3-14+deb7u2.dsc
 04503ac5a9eaa579859f0d017811fa245717edec 17092429 graphviz_2.26.3.orig.tar.gz
 86f59cc4b98eb9d4d51d22de679984ba77754dbc 54048 
graphviz_2.26.3-14+deb7u2.debian.tar.gz
 158daf728b49ef13e7ef5b5109aab9077f9206df 2579040 
graphviz-doc_2.26.3-14+deb7u2_all.deb
 4267a293ae932222393630473ca4277e6cb0036f 49342 
graphviz-dev_2.26.3-14+deb7u2_all.deb
 558a89b0076ae37e7ade66eb2ec03ebc7a5eef7a 378266 
graphviz_2.26.3-14+deb7u2_amd64.deb
 75b6d743b0fab265bef068f198030f648b990bf8 72690 
libgv-guile_2.26.3-14+deb7u2_amd64.deb
 b8e56156c6fd33f96e5e0278c38aff7fd0bc3e7c 82450 
libgv-lua_2.26.3-14+deb7u2_amd64.deb
 73fdb21f3adaaca8bc5e7831c274c5c356fc50a7 94978 
libgv-perl_2.26.3-14+deb7u2_amd64.deb
 d9d2d354a8f72d0966f459f17f36f67c2a539846 81228 
libgv-php5_2.26.3-14+deb7u2_amd64.deb
 ba6d22f1578654c36ad3ebcf974a65955f35a14e 113962 
libgv-python_2.26.3-14+deb7u2_amd64.deb
 e9ac9ba896e15be194848f8defb8cc989bc38ccd 76442 
libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 cb1b50470418faf4ed6fb5498b26c145005669be 668206 
libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 477f2e25b4b4544b340902c9fc971674c9c3052e 73974 
libgraph4_2.26.3-14+deb7u2_amd64.deb
 ee7b5729a5b7f3b6d4bc875383ab2c57830c09a1 88080 
libcgraph5_2.26.3-14+deb7u2_amd64.deb
 14e1591242a21bb5008e1d229018f7a4d84b62cf 60034 
libcdt4_2.26.3-14+deb7u2_amd64.deb
 0917a98b416c50b40580eeefca79e36e4e91c95d 65322 
libpathplan4_2.26.3-14+deb7u2_amd64.deb
 b08f651f2800e860a83ae947a0399476825674bc 544450 
libgvc5_2.26.3-14+deb7u2_amd64.deb
 fc3a41647e9a6ab45e796ca782724a8499cf7f97 62322 
libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 814b3f4f90fe2cfc3cf14ee037e80d626a18ae52 244256 
libgvpr1_2.26.3-14+deb7u2_amd64.deb
 11500edecb0c1a3cf2403c96ed6b659fe999d10c 54426 
libxdot4_2.26.3-14+deb7u2_amd64.deb
 2478cb45836fb8391f6250259473780e3f9ba78b 104984 
libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb
Checksums-Sha256: 
 62c7f290aa3594b0a605721d865855adc1353d80259dbf43ab468a06927d0fbd 3402 
graphviz_2.26.3-14+deb7u2.dsc
 f410996e69b1095237c2128deae5fc7b6ce99055b095271abb14447bc2f37fa1 17092429 
graphviz_2.26.3.orig.tar.gz
 6c312bd85dccf91bc6e113011a380a62470e5ab265cac701f3ea4c9297f67b22 54048 
graphviz_2.26.3-14+deb7u2.debian.tar.gz
 45ffbbf17f704f81195cd36d2442085a3aeab8daf3d55d01bba2fbbb130b9ba0 2579040 
graphviz-doc_2.26.3-14+deb7u2_all.deb
 b4e94ce73ffbe51334b7236c8564108514ab63d65f27259d95167484c4a08efa 49342 
graphviz-dev_2.26.3-14+deb7u2_all.deb
 24a91a45a8af406c0293917f0b2867af1e4bee5c6cfd5cca4f7981ccc81a4b88 378266 
graphviz_2.26.3-14+deb7u2_amd64.deb
 c7a8fc59f5e76369d30622e8283c8f9c0630c2dc1b2d448078e4f3f2a2bfa20b 72690 
libgv-guile_2.26.3-14+deb7u2_amd64.deb
 628accd00741abe73731fbe0104ee82686d976758a755109172136db4afa2444 82450 
libgv-lua_2.26.3-14+deb7u2_amd64.deb
 9bc13249ccac001d65d0beb2130050b56e7778cfd3e382d8c553bff4a0c6946b 94978 
libgv-perl_2.26.3-14+deb7u2_amd64.deb
 f258d6e8acf8e72c026e70b2ef025a7e5c68619180315d8263a36e79414fd3c5 81228 
libgv-php5_2.26.3-14+deb7u2_amd64.deb
 5e79c11d34af1c7b0ed293de7c1d77e7fdc54892ef89a7e6546a82701f241946 113962 
libgv-python_2.26.3-14+deb7u2_amd64.deb
 729a8275941380e7c0cf338335b3f451dabbe54a62dc47a2929923d6cff8ccbb 76442 
libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 09132c7ff8431f6e3fe666f61ea7fc8acdcb0b87fad83c5aa221d5b4254d94c1 668206 
libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 fa128341536c86b4faab4eca7f0d6e315ea27b15f0cf4b309e3a463506b68ba4 73974 
libgraph4_2.26.3-14+deb7u2_amd64.deb
 cfbc57fa3a2ff0353c2c4b6ddc6f79ab9f295c3f8fc9732ad3c547677f167062 88080 
libcgraph5_2.26.3-14+deb7u2_amd64.deb
 a1ef9ddeebfd16c1d25519834d2ddf9a5f0bd483eaaed852070b54d88891ecee 60034 
libcdt4_2.26.3-14+deb7u2_amd64.deb
 7556e61c153e5d2b2b2111bdb0f5806e83abc975a358a6ee1e665dbe37e28f62 65322 
libpathplan4_2.26.3-14+deb7u2_amd64.deb
 06bc1ea952efa2114c01b1b6b672396df5d307d39e410c245c9a68b219ffbcef 544450 
libgvc5_2.26.3-14+deb7u2_amd64.deb
 fad48bb7a5964c0b8bbbab05b94f16654fe7bacd12c6b70571b033662b003036 62322 
libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 a19aea1c322ca85de5287bbbeaf60c90cec01304d71411b0e1be596652f200c6 244256 
libgvpr1_2.26.3-14+deb7u2_amd64.deb
 09a6693324e9a4024ec306cbb44c466edfeed6def1c3f4971e64011b06a84713 54426 
libxdot4_2.26.3-14+deb7u2_amd64.deb
 3307c9c6f280511bf33041211b7c3c789097342a46dce944e7ce7edf98c16e62 104984 
libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb
Files: 
 a6678b238265b6fd5e02cd71f5bbffeb 3402 graphics optional 
graphviz_2.26.3-14+deb7u2.dsc
 6f45946fa622770c45609778c0a982ee 17092429 graphics optional 
graphviz_2.26.3.orig.tar.gz
 64a3501831e00a0bf19c3ad1db95ccce 54048 graphics optional 
graphviz_2.26.3-14+deb7u2.debian.tar.gz
 d42227ac695f0d8a82948d5036a4d155 2579040 doc optional 
graphviz-doc_2.26.3-14+deb7u2_all.deb
 9eb264469f55b1ba1e5e10e33016d19a 49342 devel optional 
graphviz-dev_2.26.3-14+deb7u2_all.deb
 1747c8ff6e29f23308ef51b9842a6931 378266 graphics optional 
graphviz_2.26.3-14+deb7u2_amd64.deb
 4726b6e1e3dbd1a86b518cc0e8cd472d 72690 interpreters optional 
libgv-guile_2.26.3-14+deb7u2_amd64.deb
 1c6569e3c32a64a535c63cce413d1d6f 82450 interpreters optional 
libgv-lua_2.26.3-14+deb7u2_amd64.deb
 c2d3e810693aa02637ff98b743eb8c44 94978 perl optional 
libgv-perl_2.26.3-14+deb7u2_amd64.deb
 288218de8e3c78f705ef4b6641beb348 81228 php optional 
libgv-php5_2.26.3-14+deb7u2_amd64.deb
 6bb064ef755fcbed7e6cb8ce4b14364a 113962 python optional 
libgv-python_2.26.3-14+deb7u2_amd64.deb
 4af05a031a61c32d8a496a535e762bb0 76442 ruby optional 
libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 a2e866afd27b6e03b0231c29123988a4 668206 interpreters optional 
libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 e8ac3c5027cfc48203f14531a96cee57 73974 libs optional 
libgraph4_2.26.3-14+deb7u2_amd64.deb
 361ea68066318b201ca78abacb2d47d8 88080 libs optional 
libcgraph5_2.26.3-14+deb7u2_amd64.deb
 db6cdc4d99e9be378a02ec7b5c246b41 60034 libs optional 
libcdt4_2.26.3-14+deb7u2_amd64.deb
 3167007a3952b6065f06c1902a152b7d 65322 libs optional 
libpathplan4_2.26.3-14+deb7u2_amd64.deb
 f8762af5513c642ebc278953b72372fe 544450 libs optional 
libgvc5_2.26.3-14+deb7u2_amd64.deb
 49181d1e6cc1b6eb15931e4942064080 62322 libs optional 
libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 90c71d3da8194069479cdc548d9149dc 244256 libs optional 
libgvpr1_2.26.3-14+deb7u2_amd64.deb
 df32523c4e79b7cba44cec5b9fd78bbb 54426 libs optional 
libxdot4_2.26.3-14+deb7u2_amd64.deb
 d03ef9c1724724a77b6b6cacd4042e9d 104984 libdevel optional 
libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUiJMdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHU98P/0om8fKjwgmHWNbdQFcdDjky
CxNAJXVpBWfe8JVTKWvKfUja7eR8ujSxq/+/0sGaH/6ASPVatMR26On1Did3KIjw
6gNAVehMVviOTmvcmtvvxHWQBtC93hv1l3TQ0PJ5cM1naFAWcQlbew89T5WM1Kp4
Gtfmt1I+kSD1AU18Sp4wCtMBp+LtIi6D9rqAr/xkKz7sJAqgLwKWB5aBdIiL1Kw3
oUqO5jZrM2mjaMKjTzKPt8OF2WhGSHkZFV1UhRC6Zr9OwtyBSD3qTDkISz8vYnGq
7zDJfe0Rr8GjoUbaQalilJ5CN+fCmW1R9PyOl9KWeRaLqS7yerK/UDeoN7bC4lCq
JYj0CVu39iJ1JQFlH518H3lfd3lRjYRRtlnYmhKdrzP/LIvSNSMpeUAwsPhli5ZJ
g/ZeR171ZCuDN272GES1KZefaTujeStaLkzxGtXKFGkqwMo90orEvZFYfowzDQCr
s1eF581StogO5ZeAqhGKtAYy/R2WCfqo852yiCxYys04FPGGtl6MrvhCqCqNQniW
d/IA3ir1uwtV4lzd8Ik3ohM+k6PhkEtycIiROiT4FHxtxFP6vOFzb5nRhbTGNFDR
61w4yiOEFILhBTDYCYip10lRqFhcpbEyIHDxstvnXROw+tDOO4b/Q1Vj4rmBzS9n
s7AgXO1eJ+CVbTTaR+2u
=ueIZ
-----END PGP SIGNATURE-----

--- End Message ---