Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jan 2014 11:15:47 +0100
From: Sebastian Krahmer <>
Subject: Re: Re: CVE Request: graphviz: stack-based buffer
	overflow in yyerror()


Funny enough that tools like graphviz qualify for CVE assignments :)

Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.

Seems like the initial fix:

also contains a sprintf() which is also later removed by commit

d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.

And finally there also is:

/* chkNum:
 * The regexp for NUMBER allows a terminating letter.
 * This way we can catch a number immediately followed by a name
 * and report this to the user.
static int chkNum(void) {
  unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
  if (!isdigit(c) && (c != '.')) {  /* c is letter */
        char    buf[BUFSIZ];
        sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
    strcat (buf, "splits into two name tokens\n");
    return 1;
  else return 0;

which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)

So for the 3 potential victims, we need to fix that too :)


On Tue, Jan 07, 2014 at 05:19:07PM -0500, wrote:
> Hash: SHA1
> >an error within the "yyerror()"
> >function (lib/cgraph/scan.l) and can be exploited to cause a stack-based
> >buffer overflow via a specially crafted file.
> Use CVE-2014-0978.
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through ]
> Version: GnuPG v1.4.14 (SunOS)
> cZIWWhasJDtZoSSP7sEqSWUnTvIft/9Ke6O6dCykngQo6kIEQYqUfxeKpB2c+Asi
> b144u4i7nLyustXMCAHkJ58Z2sr5+IfvrjY8g7MzCQU3eRVw4O4NcNGK7qmU3nyv
> D3YX3b4ON2a6FWmGNFYmo9aJ7x1suMIjXKPqM7m//+6qpEdSH7kETMvLR86lJZuj
> L2FBvbPVvpN8VgAMrASONQBMsVAaqXDSuizQgfAxqktqBCO/8lSsJ+0kE4ybMHkr
> gN1hL4z+mo7gkVqeaemtds41ZaM51pAQvp+vkUGx3y35SppqcxiSr55GqjZTBts=
> =F0p9


~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.