[graphviz/f19] Prevent possible buffer overflow in yyerror()
Jaroslav Škarvada
jskarvad at fedoraproject.org
Fri Jan 10 09:46:52 UTC 2014
commit da9ec353133712ae0c5a9a0adabd30129b0d4b0c
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Fri Jan 10 10:46:58 2014 +0100
Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235
- Fix possible buffer overflow problem in chkNum of scanner
Resolves: CVE-2014-1236
...aphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch | 7 ++-
graphviz-2.30.1-CVE-2014-1236.patch | 58 ++++++++++++++++++++
graphviz.spec | 19 +++++--
3 files changed, 76 insertions(+), 8 deletions(-)
---
diff --git a/graphviz-2.30.1-yyerror-overflow-fix.patch b/graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
similarity index 86%
rename from graphviz-2.30.1-yyerror-overflow-fix.patch
rename to graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
index bc1d665..c5105a7 100644
--- a/graphviz-2.30.1-yyerror-overflow-fix.patch
+++ b/graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
@@ -1,5 +1,5 @@
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
-index e2215d1..f41049d 100644
+index e2215d1..67eca47 100644
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -16,6 +16,7 @@
@@ -10,7 +10,7 @@ index e2215d1..f41049d 100644
#include <ctype.h>
#define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */
/* this is a workaround for linux flex */
-@@ -192,13 +193,21 @@ ID ({NAME}|{NUMBER})
+@@ -192,13 +193,22 @@ ID ({NAME}|{NUMBER})
%%
void yyerror(char *str)
{
@@ -29,7 +29,8 @@ index e2215d1..f41049d 100644
+ agxbput (&xb, InputFile);
+ agxbput (&xb, ": ");
+ }
-+ sprintf(buf," %s in line %d near '", str,line_num);
++ agxbput (&xb, str);
++ sprintf(buf," in line %d near '", line_num);
+ agxbput (&xb, buf);
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
diff --git a/graphviz-2.30.1-CVE-2014-1236.patch b/graphviz-2.30.1-CVE-2014-1236.patch
new file mode 100644
index 0000000..ad58569
--- /dev/null
+++ b/graphviz-2.30.1-CVE-2014-1236.patch
@@ -0,0 +1,58 @@
+From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg at alum.mit.edu>
+Date: Wed, 8 Jan 2014 11:31:04 -0500
+Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
+
+---
+ lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 212967c..d065b61 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -129,15 +129,32 @@ static void ppDirective (void)
+ * and report this to the user.
+ */
+ static int chkNum(void) {
+- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
+- if (!isdigit(c) && (c != '.')) { /* c is letter */
+- char buf[BUFSIZ];
+- sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
+- strcat (buf, "splits into two name tokens\n");
+- agerr(AGWARN,buf);
+- return 1;
+- }
+- else return 0;
++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
++ if (!isdigit(c) && (c != '.')) { /* c is letter */
++ unsigned char xbuf[BUFSIZ];
++ char buf[BUFSIZ];
++ agxbuf xb;
++ char* fname;
++
++ if (InputFile)
++ fname = InputFile;
++ else
++ fname = "input";
++
++ agxbinit(&xb, BUFSIZ, xbuf);
++
++ agxbput(&xb,"syntax ambiguity - badly delimited number '");
++ agxbput(&xb,yytext);
++ sprintf(buf,"' in line %d of ", line_num);
++ agxbput(&xb,buf);
++ agxbput(&xb,fname);
++ agxbput(&xb, " splits into two tokens\n");
++ agerr(AGWARN,agxbuse(&xb));
++
++ agxbfree(&xb);
++ return 1;
++ }
++ else return 0;
+ }
+
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
+--
+1.8.5.1
+
diff --git a/graphviz.spec b/graphviz.spec
index 3215e0b..548027f 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -51,7 +51,7 @@
Name: graphviz
Summary: Graph Visualization Tools
Version: 2.30.1
-Release: 11%{?dist}
+Release: 12%{?dist}
Group: Applications/Multimedia
License: EPL
URL: http://www.graphviz.org/
@@ -75,8 +75,10 @@ Patch9: graphviz-2.30.1-lefty-help.patch
Patch10: graphviz-2.30.1-prune-help.patch
# Sent upstream, ticket #2307
Patch11: graphviz-2.30.1-man-fix.patch
-# Fix yyerror overflow (#1049167)
-Patch12: graphviz-2.30.1-yyerror-overflow-fix.patch
+# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
+Patch12: graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
+# Fix chknum overflow (CVE-2014-1236)
+Patch13: graphviz-2.30.1-CVE-2014-1236.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@@ -284,7 +286,8 @@ Various tcl packages (extensions) for the graphviz tools.
%patch9 -p1 -b .lefty-help
%patch10 -p1 -b .prune-help
%patch11 -p1 -b .man-fix
-%patch12 -p1 -b .yyerror-overflow-fix
+%patch12 -p1 -b .CVE-2014-0978-CVE-2014-1235
+%patch13 -p1 -b .CVE-2014-1236
# Attempt to fix rpmlint warnings about executable sources
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -561,9 +564,15 @@ rm -rf %{buildroot}
%changelog
+* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.30.1-12
+- Prevent possible buffer overflow in yyerror()
+ Resolves: CVE-2014-1235
+- Fix possible buffer overflow problem in chkNum of scanner
+ Resolves: CVE-2014-1236
+
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.30.1-11
- Fixed overflow in yyerror
- Resolves: rhbz#1049167
+ Resolves: CVE-2014-0978
* Fri Jul 12 2013 Jaroslav Škarvada <jskarvad at redhat.com> - 2.30.1-10
- Various man and built-in help fixes
More information about the scm-commits
mailing list