[graphviz/el5] Prevent possible buffer overflow in yyerror()
Jaroslav Škarvada
jskarvad at fedoraproject.org
Fri Jan 10 10:38:36 UTC 2014
commit 99ce361b11a31ec05365acfbfacb611148fb201e
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Fri Jan 10 11:38:42 2014 +0100
Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235
- Fix possible buffer overflow problem in chkNum of scanner
Resolves: CVE-2014-1236
...graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch | 5 +-
graphviz-2.12-CVE-2014-1236.patch | 40 ++++++++++++++++++++
graphviz.spec | 18 +++++++--
3 files changed, 57 insertions(+), 6 deletions(-)
---
diff --git a/graphviz-2.12-yyerror-overflow-fix.patch b/graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
similarity index 94%
rename from graphviz-2.12-yyerror-overflow-fix.patch
rename to graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
index 0c27132..63f6bd7 100644
--- a/graphviz-2.12-yyerror-overflow-fix.patch
+++ b/graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
@@ -33,7 +33,7 @@ index b3c4875..a46cd92 100644
#ifdef WIN32
#include <io.h>
#endif
-@@ -153,13 +154,21 @@ ID ({NAME}|{NUMBER})
+@@ -153,13 +154,22 @@ ID ({NAME}|{NUMBER})
%%
void yyerror(char *str)
{
@@ -52,7 +52,8 @@ index b3c4875..a46cd92 100644
+ agxbput (&xb, InputFile);
+ agxbput (&xb, ": ");
+ }
-+ sprintf(buf," %s in line %d near '", str,line_num);
++ agxbput (&xb, str);
++ sprintf(buf," in line %d near '", line_num);
+ agxbput (&xb, buf);
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
diff --git a/graphviz-2.12-CVE-2014-1236.patch b/graphviz-2.12-CVE-2014-1236.patch
new file mode 100644
index 0000000..a49490b
--- /dev/null
+++ b/graphviz-2.12-CVE-2014-1236.patch
@@ -0,0 +1,40 @@
+diff --git a/lib/agraph/scan.l b/lib/agraph/scan.l
+index 4eabcdc..02eaaab 100644
+--- a/lib/agraph/scan.l
++++ b/lib/agraph/scan.l
+@@ -93,15 +93,26 @@ static void endstr_html(void) {
+ * and report this to the user.
+ */
+ static int chkNum(void) {
+- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
+- if (!isdigit(c) && (c != '.')) { /* c is letter */
+- char buf[BUFSIZ];
+- sprintf(buf,"badly formed number '%s' in line %d\n",yytext,line_num);
+- strcat (buf, "Splits into two name tokens");
+- agerror(AGERROR_SYNTAX,buf);
+- return 1;
+- }
+- else return 0;
++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
++ if (!isdigit(c) && (c != '.')) { /* c is letter */
++ unsigned char xbuf[BUFSIZ];
++ char buf[BUFSIZ];
++ agxbuf xb;
++ char* fname;
++
++ agxbinit(&xb, BUFSIZ, xbuf);
++
++ agxbput(&xb,"syntax ambiguity - badly delimited number '");
++ agxbput(&xb,yytext);
++ sprintf(buf,"' in line %d", line_num);
++ agxbput(&xb,buf);
++ agxbput(&xb, " splits into two tokens\n");
++ agerror(AGERROR_SYNTAX,agxbuse(&xb));
++
++ agxbfree(&xb);
++ return 1;
++ }
++ else return 0;
+ }
+
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
diff --git a/graphviz.spec b/graphviz.spec
index 7644e24..56ef91a 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -7,14 +7,17 @@
#-- graphviz src.rpm --------------------------------------------------------
Name: graphviz
Version: 2.12
-Release: 9%{?dist}
+Release: 10%{?dist}
License: CPL
URL: http://www.graphviz.org/
Source: http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-2.12.tar.gz
Patch0: %{name}-php5.patch
Patch1: %{name}-libcdt.patch
-Patch2: graphviz-2.12-yyerror-overflow-fix.patch
+# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
+Patch2: graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
+# Fix chknum overflow (CVE-2014-1236)
+Patch3: graphviz-2.12-CVE-2014-1236.patch
# graphviz is relocatable
#Prefix: /usr
@@ -409,7 +412,8 @@ Provides some additional PDF and HTML documentation for graphviz.
%setup -q
%patch0 -p1
%patch1 -p1
-%patch2 -p1
+%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
+%patch3 -p1 -b .CVE-2014-1236
%build
# XXX ix86 only used to have -ffast-math, let's use everywhere
@@ -446,9 +450,15 @@ rm -rf $RPM_BUILD_ROOT
#-- changelog --------------------------------------------------
%changelog
+* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.12-10
+- Prevent possible buffer overflow in yyerror()
+ Resolves: CVE-2014-1235
+- Fix possible buffer overflow problem in chkNum of scanner
+ Resolves: CVE-2014-1236
+
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.12-9
- Fixed overflow in yyerror
- Resolves: rhbz#1049168
+ Resolves: CVE-2014-0978
- Fixed malformed php5 patch due to distgit conversion
* Thu May 24 2007 Patrick "Jima" Laughton <jima at beer.tclug.org> 2.12-8
More information about the scm-commits
mailing list