Date: Wed, 08 Jan 2014 09:11:10 -0800 From: Russ Allbery <eagle@...ie.org> To: oss-security@...ts.openwall.com Cc: ratulg@...hat.com, erg@...m.mit.edu Subject: Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer <krahmer@...e.de> writes: > Funny enough that tools like graphviz qualify for CVE assignments :) > Do not get me wrong, I really like graphviz, its a great tool and I use > it myself; but probably like 2 scientists or 1 anti-terror fed plotting > his graphs in the whole world would be targeted attacked using dot files > sent via mail I guess. I wouldn't be so certain. :) I've gotten dot files in email a fair bit while working on free software projects since it's a really useful way of expressing dependency trees and similar structures. So the possibility of a targetted exploit is there, particularly given that mailing list traffic is generally completely unauthenticated. It's not hard for someone to pretend to be another participant and mail a doctored dot file to a development team. The deception would probably be discovered reasonably quickly, but possibly not before damage was done. -- Russ Allbery (eagle@...ie.org) <http://www.eyrie.org/~eagle/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.