Your message dated Wed, 10 Dec 2014 20:27:13 +0000
with message-id <[email protected]>
and subject line Re: Bug#772755: unblock: graphviz/2.38.0-7
has caused the Debian Bug report #772755,
regarding unblock: graphviz/2.38.0-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772755: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi Release Team!
Please unblock package graphviz
The upload to unstable fixes a format string vulnerability in the
yyerror function, it is assigned CVE-2014-9157, #772648:
https://security-tracker.debian.org/tracker/CVE-2014-9157
The debian/changelog reads as:
>graphviz (2.38.0-7) unstable; urgency=high
>
> * QA upload.
> * Add CVE-2014-9157.patch.
> Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
> which may allow attackers to cause a denial of service or possibly
> execute code.
> Thanks to Marc Deslauriers <[email protected]> (Closes: #772648)
>
> -- Salvatore Bonaccorso <[email protected]> Wed, 10 Dec 2014 07:21:52 +0100
I'm attaching the full debdiff. Could you please unblock graphviz for
migration to jessie?
unblock graphviz/2.38.0-7
Regards,
Salvatore
diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog
--- graphviz-2.38.0/debian/changelog 2014-09-01 23:43:19.000000000 +0200
+++ graphviz-2.38.0/debian/changelog 2014-12-10 16:25:41.000000000 +0100
@@ -1,3 +1,14 @@
+graphviz (2.38.0-7) unstable; urgency=high
+
+ * QA upload.
+ * Add CVE-2014-9157.patch.
+ Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+ which may allow attackers to cause a denial of service or possibly
+ execute code.
+ Thanks to Marc Deslauriers <[email protected]> (Closes: #772648)
+
+ -- Salvatore Bonaccorso <[email protected]> Wed, 10 Dec 2014 07:21:52 +0100
+
graphviz (2.38.0-6) unstable; urgency=medium
* QA upload.
diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch
--- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 2014-12-10 16:25:41.000000000 +0100
@@ -0,0 +1,22 @@
+Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
+Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
+Bug-Debian: https://bugs.debian.org/772648
+Forwarded: no
+Author: Emden R. Gansner
+Last-Update: 2014-12-10
+
+---
+ lib/cgraph/scan.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,7 +225,7 @@ void yyerror(char *str)
+ agxbput (&xb, buf);
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
+- agerr(AGERR,agxbuse(&xb));
++ agerr(AGERR, "%s", agxbuse(&xb));
+ agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series
--- graphviz-2.38.0/debian/patches/series 2014-09-01 23:13:51.000000000 +0200
+++ graphviz-2.38.0/debian/patches/series 2014-12-10 16:25:41.000000000 +0100
@@ -11,3 +11,4 @@
reduce-lab-color.patch
add-libm-to-dot-link.patch
versioned-plugin-config-file.diff
+CVE-2014-9157.patch
--- End Message ---
--- Begin Message ---
On Wed, 2014-12-10 at 20:52 +0100, Salvatore Bonaccorso wrote:
> Please unblock package graphviz
>
> The upload to unstable fixes a format string vulnerability in the
> yyerror function, it is assigned CVE-2014-9157, #772648:
Unblocked, thanks.
Regards,
Adam
--- End Message ---
