diff --git a/graphviz-2.34.0-yyerror-overflow-fix.patch b/graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch similarity index 65% rename from graphviz-2.34.0-yyerror-overflow-fix.patch rename to graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch index f8bb983..a948084 100644 --- a/graphviz-2.34.0-yyerror-overflow-fix.patch +++ b/graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch @@ -1,15 +1,4 @@ -From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001 -From: "Emden R. Gansner" -Date: Fri, 4 Oct 2013 09:06:39 -0400 -Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error - with a very long input line - ---- - lib/cgraph/scan.l | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l -index 3cfde0f..2efd203 100644 --- a/lib/cgraph/scan.l +++ b/lib/cgraph/scan.l @@ -16,6 +16,7 @@ @@ -20,7 +9,7 @@ index 3cfde0f..2efd203 100644 #include #define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */ /* this is a workaround for linux flex */ -@@ -191,13 +192,21 @@ ID ({NAME}|{NUMBER}) +@@ -191,13 +192,22 @@ ID ({NAME}|{NUMBER}) %% void yyerror(char *str) { @@ -39,7 +28,8 @@ index 3cfde0f..2efd203 100644 + agxbput (&xb, InputFile); + agxbput (&xb, ": "); + } -+ sprintf(buf," %s in line %d near '", str,line_num); ++ agxbput (&xb, str); ++ sprintf(buf," in line %d near '", line_num); + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); @@ -48,6 +38,3 @@ index 3cfde0f..2efd203 100644 } /* must be here to see flex's macro defns */ void aglexeof() { unput(GRAPH_EOF_TOKEN); } --- -1.8.5.1 - diff --git a/graphviz-2.34.0-CVE-2014-1236.patch b/graphviz-2.34.0-CVE-2014-1236.patch new file mode 100644 index 0000000..ad58569 --- /dev/null +++ b/graphviz-2.34.0-CVE-2014-1236.patch @@ -0,0 +1,58 @@ +From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001 +From: "Emden R. Gansner" +Date: Wed, 8 Jan 2014 11:31:04 -0500 +Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner. + +--- + lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l +index 212967c..d065b61 100644 +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -129,15 +129,32 @@ static void ppDirective (void) + * and report this to the user. + */ + static int chkNum(void) { +- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ +- if (!isdigit(c) && (c != '.')) { /* c is letter */ +- char buf[BUFSIZ]; +- sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile); +- strcat (buf, "splits into two name tokens\n"); +- agerr(AGWARN,buf); +- return 1; +- } +- else return 0; ++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ ++ if (!isdigit(c) && (c != '.')) { /* c is letter */ ++ unsigned char xbuf[BUFSIZ]; ++ char buf[BUFSIZ]; ++ agxbuf xb; ++ char* fname; ++ ++ if (InputFile) ++ fname = InputFile; ++ else ++ fname = "input"; ++ ++ agxbinit(&xb, BUFSIZ, xbuf); ++ ++ agxbput(&xb,"syntax ambiguity - badly delimited number '"); ++ agxbput(&xb,yytext); ++ sprintf(buf,"' in line %d of ", line_num); ++ agxbput(&xb,buf); ++ agxbput(&xb,fname); ++ agxbput(&xb, " splits into two tokens\n"); ++ agerr(AGWARN,agxbuse(&xb)); ++ ++ agxbfree(&xb); ++ return 1; ++ } ++ else return 0; + } + + /* The LETTER class below consists of ascii letters, underscore, all non-ascii +-- +1.8.5.1 + diff --git a/graphviz.spec b/graphviz.spec index 4cb1e83..bb9b6f6 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -52,7 +52,7 @@ Name: graphviz Summary: Graph Visualization Tools Version: 2.34.0 -Release: 7%{?dist} +Release: 8%{?dist} Group: Applications/Multimedia License: EPL URL: http://www.graphviz.org/ @@ -63,8 +63,10 @@ Patch1: graphviz-2.32.0-testsuite-sigsegv-fix.patch Patch2: graphviz-2.32.0-rtest-errout-fix.patch # Upstream bug 0002387 Patch3: graphviz-2.34.0-lefty-getaddrinfo.patch -# Fix yyerror overflow (#1049167) -Patch4: graphviz-2.34.0-yyerror-overflow-fix.patch +# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235) +Patch4: graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch +# Fix chknum overflow (CVE-2014-1236) +Patch5: graphviz-2.34.0-CVE-2014-1236.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig @@ -270,7 +272,8 @@ Various tcl packages (extensions) for the graphviz tools. %patch1 -p1 -b .testsuite-sigsegv-fix %patch2 -p1 -b .rtest-errout-fix %patch3 -p1 -b .lefty-getaddrinfo -%patch4 -p1 -b .overflow-yyerror-fix +%patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235 +%patch5 -p1 -b .CVE-2014-1236 # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -559,9 +562,15 @@ rm -rf %{buildroot} %changelog +* Thu Jan 9 2014 Jaroslav Škarvada - 2.34.0-8 +- Prevent possible buffer overflow in yyerror() + Resolves: CVE-2014-1235 +- Fix possible buffer overflow problem in chkNum of scanner + Resolves: CVE-2014-1236 + * Tue Jan 7 2014 Jaroslav Škarvada - 2.34.0-7 - Fixed overflow in yyerror - Resolves: rhbz#1049167 + Resolves: CVE-2014-0978 * Sat Dec 28 2013 Peter Robinson 2.34.0-6 - Disable R bindings on aarch64 for the moment