Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jan 2014 11:15:47 +0100
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Cc: ratulg@...hat.com, erg@...m.mit.edu
Subject: Re: Re: CVE Request: graphviz: stack-based buffer
	overflow in yyerror()

Hi

Funny enough that tools like graphviz qualify for CVE assignments :)

Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.

Seems like the initial fix:

https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a

also contains a sprintf() which is also later removed by commit

d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.

And finally there also is:


/* chkNum:
 * The regexp for NUMBER allows a terminating letter.
 * This way we can catch a number immediately followed by a name
 * and report this to the user.
 */
static int chkNum(void) {
  unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
  if (!isdigit(c) && (c != '.')) {  /* c is letter */
        char    buf[BUFSIZ];
        sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
    strcat (buf, "splits into two name tokens\n");
        agerr(AGWARN,buf);
    return 1;
  }
  else return 0;
}


which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)

So for the 3 potential victims, we need to fix that too :)

Sebastian


On Tue, Jan 07, 2014 at 05:19:07PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> >an error within the "yyerror()"
> >function (lib/cgraph/scan.l) and can be exploited to cause a stack-based
> >buffer overflow via a specially crafted file.
> 
> Use CVE-2014-0978.
> 
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
> 
> iQEcBAEBAgAGBQJSzH0dAAoJEKllVAevmvmsdcAIALBfNun5cNjVGVEVmWYQIncL
> cZIWWhasJDtZoSSP7sEqSWUnTvIft/9Ke6O6dCykngQo6kIEQYqUfxeKpB2c+Asi
> b144u4i7nLyustXMCAHkJ58Z2sr5+IfvrjY8g7MzCQU3eRVw4O4NcNGK7qmU3nyv
> D3YX3b4ON2a6FWmGNFYmo9aJ7x1suMIjXKPqM7m//+6qpEdSH7kETMvLR86lJZuj
> L2FBvbPVvpN8VgAMrASONQBMsVAaqXDSuizQgfAxqktqBCO/8lSsJ+0kE4ybMHkr
> gN1hL4z+mo7gkVqeaemtds41ZaM51pAQvp+vkUGx3y35SppqcxiSr55GqjZTBts=
> =F0p9
> -----END PGP SIGNATURE-----

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ