Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jan 2014 11:15:47 +0100
From: Sebastian Krahmer <>
Subject: Re: Re: CVE Request: graphviz: stack-based buffer
	overflow in yyerror()


Funny enough that tools like graphviz qualify for CVE assignments :)

Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.

Seems like the initial fix:

also contains a sprintf() which is also later removed by commit

d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.

And finally there also is:

/* chkNum:
 * The regexp for NUMBER allows a terminating letter.
 * This way we can catch a number immediately followed by a name
 * and report this to the user.
static int chkNum(void) {
  unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
  if (!isdigit(c) && (c != '.')) {  /* c is letter */
        char    buf[BUFSIZ];
        sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
    strcat (buf, "splits into two name tokens\n");
    return 1;
  else return 0;

which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)

So for the 3 potential victims, we need to fix that too :)


On Tue, Jan 07, 2014 at 05:19:07PM -0500, wrote:
> Hash: SHA1
> >an error within the "yyerror()"
> >function (lib/cgraph/scan.l) and can be exploited to cause a stack-based
> >buffer overflow via a specially crafted file.
> Use CVE-2014-0978.
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through ]
> Version: GnuPG v1.4.14 (SunOS)
> cZIWWhasJDtZoSSP7sEqSWUnTvIft/9Ke6O6dCykngQo6kIEQYqUfxeKpB2c+Asi
> b144u4i7nLyustXMCAHkJ58Z2sr5+IfvrjY8g7MzCQU3eRVw4O4NcNGK7qmU3nyv
> D3YX3b4ON2a6FWmGNFYmo9aJ7x1suMIjXKPqM7m//+6qpEdSH7kETMvLR86lJZuj
> L2FBvbPVvpN8VgAMrASONQBMsVAaqXDSuizQgfAxqktqBCO/8lSsJ+0kE4ybMHkr
> gN1hL4z+mo7gkVqeaemtds41ZaM51pAQvp+vkUGx3y35SppqcxiSr55GqjZTBts=
> =F0p9


~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ