Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi Release Managers,
I would like to update graphviz due to a security fix, preventing a
heap overflow[1].
[ Reason ]
It's a security fix handling bad data correctly.
[ Impact ]
None on valid data, only fixing buffer length checking.
[ Tests ]
Just the Debian ones, passed.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock graphviz/2.42.2-5
Thanks,
Laszlo/GCS
[1] https://gitlab.com/graphviz/graphviz/-/issues/1700
diff -Nru graphviz-2.42.2/debian/changelog graphviz-2.42.2/debian/changelog
--- graphviz-2.42.2/debian/changelog 2020-04-26 07:25:24.000000000 +0200
+++ graphviz-2.42.2/debian/changelog 2021-05-08 11:09:59.000000000 +0200
@@ -1,3 +1,10 @@
+graphviz (2.42.2-5) unstable; urgency=high
+
+ * Fix CVE-2020-18032: out of bounds write on invalid label
+ (closes: #988000).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 08 May 2021 11:09:59 +0200
+
graphviz (2.42.2-4) unstable; urgency=medium
* Build with Guile 3.0 (closes: #885198).
diff -Nru graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch
--- graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.42.2/debian/patches/fix_out-of-bounds_write_on_invalid_label.patch 2021-05-08 11:09:33.000000000 +0200
@@ -0,0 +1,35 @@
+commit 784411ca3655c80da0f6025ab20634b2a6ff696b
+Author: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Sat Jul 25 19:31:01 2020 -0700
+
+ fix: out-of-bounds write on invalid label
+
+ When the label for a node cannot be parsed (due to it being malformed), it falls
+ back on the symbol name of the node itself. I.e. the default label the node
+ would have had if it had no label attribute at all. However, this is applied by
+ dynamically altering the node's label to "\N", a shortcut for the symbol name of
+ the node. All of this is fine, however if the hand written label itself is
+ shorter than the literal string "\N", not enough memory would have been
+ allocated to write "\N" into the label text.
+
+ Here we account for the possibility of error during label parsing, and assume
+ that the label text may need to be overwritten with "\N" after the fact. Fixes
+ issue #1700.
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+ reclblp = ND_label(n)->text;
+ len = strlen(reclblp);
+ /* For some forgotten reason, an empty label is parsed into a space, so
+- * we need at least two bytes in textbuf.
++ * we need at least two bytes in textbuf, as well as accounting for the
++ * error path involving "\\N" below.
+ */
+- len = MAX(len, 1);
++ len = MAX(MAX(len, 1), (int)strlen("\\N"));
+ textbuf = N_NEW(len + 1, char);
+ if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
diff -Nru graphviz-2.42.2/debian/patches/series graphviz-2.42.2/debian/patches/series
--- graphviz-2.42.2/debian/patches/series 2019-10-06 00:04:01.000000000 +0200
+++ graphviz-2.42.2/debian/patches/series 2021-05-08 11:09:50.000000000 +0200
@@ -8,3 +8,4 @@
gvmap.sh_bashism.patch
build_with_libann.patch
update_documentation_link.patch
+fix_out-of-bounds_write_on_invalid_label.patch
