Prevent possible buffer overflow in yyerror()

Resolves: CVE-2014-1235 - Fix possible buffer overflow problem in chkNum of scanner Resolves: CVE-2014-1236
2014-01-10 10:28:08 +01:00 · 2014-01-10 10:28:08 +01:00 · 8a174ca0bb
commit 8a174ca0bb
parent a2040cdc1f
3 changed files with 75 additions and 21 deletions
--- a/graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
+++ b/graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
@ -1,15 +1,4 @@
 From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
 From: "Emden R. Gansner" <erg@alum.mit.edu>
 Date: Fri, 4 Oct 2013 09:06:39 -0400
 Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
 with a very long input line
 ---
 lib/cgraph/scan.l | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)
 diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
 index 3cfde0f..2efd203 100644
 --- a/lib/cgraph/scan.l
 +++ b/lib/cgraph/scan.l
@@ -16,6 +16,7 @@
@ -20,7 +9,7 @@ index 3cfde0f..2efd203 100644
 #include <ctype.h>
 #define GRAPH_EOF_TOKEN		'@'		/* lex class must be defined below */
 	/* this is a workaround for linux flex */
-@@ -191,13 +192,21 @@ ID		({NAME}|{NUMBER})
+@@ -191,13 +192,22 @@ ID		({NAME}|{NUMBER})
 %%
 void yyerror(char *str)
 {
@ -39,7 +28,8 @@ index 3cfde0f..2efd203 100644
 +		agxbput (&xb, InputFile);
 +		agxbput (&xb, ": ");
 +	}
-+	sprintf(buf," %s in line %d near '", str,line_num);
+	agxbput (&xb, str);
 +	sprintf(buf," in line %d near '", line_num);
 +	agxbput (&xb, buf);
 +	agxbput (&xb, yytext);
 +	agxbput (&xb,"'\n");
@ -48,6 +38,3 @@ index 3cfde0f..2efd203 100644
 }
 /* must be here to see flex's macro defns */
 void aglexeof() { unput(GRAPH_EOF_TOKEN); }
 -- 
 1.8.5.1
--- a/graphviz-2.34.0-CVE-2014-1236.patch
+++ b/graphviz-2.34.0-CVE-2014-1236.patch
@ -0,0 +1,58 @@
 From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
 From: "Emden R. Gansner" <erg@alum.mit.edu>
 Date: Wed, 8 Jan 2014 11:31:04 -0500
 Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
 ---
 lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)
 diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
 index 212967c..d065b61 100644
 --- a/lib/cgraph/scan.l
 +++ b/lib/cgraph/scan.l
@@ -129,15 +129,32 @@ static void ppDirective (void)
  * and report this to the user.
  */
 static int chkNum(void) {
 -  unsigned char	c = (unsigned char)yytext[yyleng-1];   /* last character */
 -  if (!isdigit(c) && (c != '.')) {  /* c is letter */
 -	char	buf[BUFSIZ];
 -	sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
 -    strcat (buf, "splits into two name tokens\n");
 -	agerr(AGWARN,buf);
 -    return 1;
 -  }
 -  else return 0;
 +    unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
 +    if (!isdigit(c) && (c != '.')) {  /* c is letter */
 +	unsigned char xbuf[BUFSIZ];
 +	char buf[BUFSIZ];
 +	agxbuf  xb;
 +	char* fname;
 +
 +	if (InputFile)
 +	    fname = InputFile;
 +	else
 +	    fname = "input";
 +
 +	agxbinit(&xb, BUFSIZ, xbuf);
 +
 +	agxbput(&xb,"syntax ambiguity - badly delimited number '");
 +	agxbput(&xb,yytext);
 +	sprintf(buf,"' in line %d of ", line_num);
 +	agxbput(&xb,buf);
 +	agxbput(&xb,fname);
 +	agxbput(&xb, " splits into two tokens\n");
 +	agerr(AGWARN,agxbuse(&xb));
 +
 +	agxbfree(&xb);
 +	return 1;
 +    }
 +    else return 0;
 }
 /* The LETTER class below consists of ascii letters, underscore, all non-ascii
 -- 
 1.8.5.1
--- a/graphviz.spec
+++ b/graphviz.spec
@ -52,7 +52,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.34.0
-Release:		7%{?dist}
+Release:		8%{?dist}
 Group:			Applications/Multimedia
 License:		EPL
 URL:			http://www.graphviz.org/
@ -63,8 +63,10 @@ Patch1:			graphviz-2.32.0-testsuite-sigsegv-fix.patch
 Patch2:			graphviz-2.32.0-rtest-errout-fix.patch
 # Upstream bug 0002387
 Patch3:			graphviz-2.34.0-lefty-getaddrinfo.patch
-# Fix yyerror overflow (#1049167)
+# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
-Patch4:			graphviz-2.34.0-yyerror-overflow-fix.patch
+Patch4:			graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
 # Fix chknum overflow (CVE-2014-1236)
 Patch5:			graphviz-2.34.0-CVE-2014-1236.patch
 BuildRoot:		%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@ -270,7 +272,8 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch1 -p1 -b .testsuite-sigsegv-fix
 %patch2 -p1 -b .rtest-errout-fix
 %patch3 -p1 -b .lefty-getaddrinfo
-%patch4 -p1 -b .overflow-yyerror-fix
+%patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235
 %patch5 -p1 -b .CVE-2014-1236
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -559,9 +562,15 @@ rm -rf %{buildroot}
 %changelog
 * Thu Jan  9 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-8
 - Prevent possible buffer overflow in yyerror()
  Resolves: CVE-2014-1235
 - Fix possible buffer overflow problem in chkNum of scanner
  Resolves: CVE-2014-1236
 * Tue Jan  7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-7
 - Fixed overflow in yyerror
-  Resolves: rhbz#1049167
+  Resolves: CVE-2014-0978
 * Sat Dec 28 2013 Peter Robinson <pbrobinson@fedoraproject.org> 2.34.0-6
 - Disable R bindings on aarch64 for the moment