Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Hi Release Team! Please unblock package graphviz The upload to unstable fixes a format string vulnerability in the yyerror function, it is assigned CVE-2014-9157, #772648: https://security-tracker.debian.org/tracker/CVE-2014-9157 The debian/changelog reads as: >graphviz (2.38.0-7) unstable; urgency=high > > * QA upload. > * Add CVE-2014-9157.patch. > Fix format string vulnerability (CVE-2014-9157) in yyerror() routine > which may allow attackers to cause a denial of service or possibly > execute code. > Thanks to Marc Deslauriers <[email protected]> (Closes: #772648) > > -- Salvatore Bonaccorso <[email protected]> Wed, 10 Dec 2014 07:21:52 +0100 I'm attaching the full debdiff. Could you please unblock graphviz for migration to jessie? unblock graphviz/2.38.0-7 Regards, Salvatore
diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog --- graphviz-2.38.0/debian/changelog 2014-09-01 23:43:19.000000000 +0200 +++ graphviz-2.38.0/debian/changelog 2014-12-10 16:25:41.000000000 +0100 @@ -1,3 +1,14 @@ +graphviz (2.38.0-7) unstable; urgency=high + + * QA upload. + * Add CVE-2014-9157.patch. + Fix format string vulnerability (CVE-2014-9157) in yyerror() routine + which may allow attackers to cause a denial of service or possibly + execute code. + Thanks to Marc Deslauriers <[email protected]> (Closes: #772648) + + -- Salvatore Bonaccorso <[email protected]> Wed, 10 Dec 2014 07:21:52 +0100 + graphviz (2.38.0-6) unstable; urgency=medium * QA upload. diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch --- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 2014-12-10 16:25:41.000000000 +0100 @@ -0,0 +1,22 @@ +Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine +Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 +Bug-Debian: https://bugs.debian.org/772648 +Forwarded: no +Author: Emden R. Gansner +Last-Update: 2014-12-10 + +--- + lib/cgraph/scan.l | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -225,7 +225,7 @@ void yyerror(char *str) + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series --- graphviz-2.38.0/debian/patches/series 2014-09-01 23:13:51.000000000 +0200 +++ graphviz-2.38.0/debian/patches/series 2014-12-10 16:25:41.000000000 +0100 @@ -11,3 +11,4 @@ reduce-lab-color.patch add-libm-to-dot-link.patch versioned-plugin-config-file.diff +CVE-2014-9157.patch
