Fixed null pointer dereference in function agroot()

Resolves: CVE-2019-11023
2019-04-24 13:17:03 +02:00 · 2019-04-24 13:17:03 +02:00 · cccd8d37a2
commit cccd8d37a2
parent 1b199dfecd
2 changed files with 72 additions and 1 deletions
--- a/graphviz-2.40.1-CVE-2019-11023.patch
+++ b/graphviz-2.40.1-CVE-2019-11023.patch
@ -0,0 +1,65 @@
+--- a/cmd/tools/graphml2gv.c
+++ b/cmd/tools/graphml2gv.c
+@@ -477,8 +468,10 @@
+ 	if (pos > 0) {
+ 	    const char *attrname;
+ 	    attrname = atts[pos];
+-
+-	    bind_node(attrname);
+            if (G == 0)
+                fprintf(stderr,"node %s outside graph, ignored\n",attrname);
+	    else
+                bind_node(attrname);
+ 
+ 	    pushString(&ud->elements, attrname);
+ 	}
+@@ -504,21 +497,25 @@
+ 	if (tname)
+ 	    head = tname;
+ 
+-	bind_edge(tail, head);
+-
+-	t = AGTAIL(E);
+-	tname = agnameof(t);
+-
+-	if (strcmp(tname, tail) == 0) {
+-	    ud->edgeinverted = FALSE;
+-	} else if (strcmp(tname, head) == 0) {
+-	    ud->edgeinverted = TRUE;
+-	}
+-
+-	pos = get_xml_attr("id", atts);
+-	if (pos > 0) {
+-	    setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
+-	}
+        if (G == 0)
+            fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
+        else {
+            bind_edge(tail, head);
+
+            t = AGTAIL(E);
+	    tname = agnameof(t);
+
+	    if (strcmp(tname, tail) == 0) {
+	        ud->edgeinverted = FALSE;
+	    } else if (strcmp(tname, head) == 0) {
+	        ud->edgeinverted = TRUE;
+	    }
+
+	    pos = get_xml_attr("id", atts);
+	    if (pos > 0) {
+	        setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
+	    }
+        }
+     } else {
+ 	/* must be some extension */
+ 	fprintf(stderr,
+@@ -545,7 +536,7 @@
+ 	char *ele_name = topString(ud->elements);
+ 	if (ud->closedElementType == TAG_GRAPH) {
+ 	    Agnode_t *node = agnode(root, ele_name, 0);
+-	    agdelete(root, node);
+	    if (node) agdelete(root, node);
+ 	}
+ 	popString(&ud->elements);
+ 	Current_class = TAG_GRAPH;
--- a/graphviz.spec
+++ b/graphviz.spec
@ -61,7 +61,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.40.1
-Release:		44%{?dist}
+Release:		45%{?dist}
 License:		EPL-1.0
 URL:			http://www.graphviz.org/
 # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371
@ -73,6 +73,7 @@ Patch2:			graphviz-2.40.1-CVE-2018-10196.patch
 # rhbz#1505230
 Patch3:			graphviz-2.40.1-dotty-menu-fix.patch
 Patch4:			graphviz-2.40.1-coverity-scan-fixes.patch
+Patch5:			graphviz-2.40.1-CVE-2019-11023.patch
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed
 BuildRequires:		fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@ -289,6 +290,7 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch2 -p1 -b .CVE-2018-10196
 %patch3 -p1 -b .dotty-menu-fix
 %patch4 -p1 -b .coverity-scan-fixes
+%patch5 -p1 -b .CVE-2019-11023

 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -607,6 +609,10 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*

 %changelog
+* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-45
+- Fixed null pointer dereference in function agroot()
+  Resolves: CVE-2019-11023
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.40.1-44
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild