[graphviz/el5] Prevent possible buffer overflow in yyerror()

Jaroslav Škarvada jskarvad at fedoraproject.org
Fri Jan 10 10:38:36 UTC 2014 

commit 99ce361b11a31ec05365acfbfacb611148fb201e
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date:   Fri Jan 10 11:38:42 2014 +0100

    Prevent possible buffer overflow in yyerror()
    
      Resolves: CVE-2014-1235
    - Fix possible buffer overflow problem in chkNum of scanner
      Resolves: CVE-2014-1236

 ...graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch |    5 +-
 graphviz-2.12-CVE-2014-1236.patch                  |   40 ++++++++++++++++++++
 graphviz.spec                                      |   18 +++++++--
 3 files changed, 57 insertions(+), 6 deletions(-)
---
diff --git a/graphviz-2.12-yyerror-overflow-fix.patch b/graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
similarity index 94%
rename from graphviz-2.12-yyerror-overflow-fix.patch
rename to graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
index 0c27132..63f6bd7 100644
--- a/graphviz-2.12-yyerror-overflow-fix.patch
+++ b/graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
@@ -33,7 +33,7 @@ index b3c4875..a46cd92 100644
  #ifdef WIN32
  #include <io.h>
  #endif
-@@ -153,13 +154,21 @@ ID		({NAME}|{NUMBER})
+@@ -153,13 +154,22 @@ ID		({NAME}|{NUMBER})
  %%
  void yyerror(char *str)
  {
@@ -52,7 +52,8 @@ index b3c4875..a46cd92 100644
 +		agxbput (&xb, InputFile);
 +		agxbput (&xb, ": ");
 +	}
-+	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, str);
++	sprintf(buf," in line %d near '", line_num);
 +	agxbput (&xb, buf);
 +	agxbput (&xb, yytext);
 +	agxbput (&xb,"'\n");
diff --git a/graphviz-2.12-CVE-2014-1236.patch b/graphviz-2.12-CVE-2014-1236.patch
new file mode 100644
index 0000000..a49490b
--- /dev/null
+++ b/graphviz-2.12-CVE-2014-1236.patch
@@ -0,0 +1,40 @@
+diff --git a/lib/agraph/scan.l b/lib/agraph/scan.l
+index 4eabcdc..02eaaab 100644
+--- a/lib/agraph/scan.l
++++ b/lib/agraph/scan.l
+@@ -93,15 +93,26 @@ static void endstr_html(void) {
+  * and report this to the user.
+  */
+ static int chkNum(void) {
+-  unsigned char	c = (unsigned char)yytext[yyleng-1];   /* last character */
+-  if (!isdigit(c) && (c != '.')) {  /* c is letter */
+-	char	buf[BUFSIZ];
+-	sprintf(buf,"badly formed number '%s' in line %d\n",yytext,line_num);
+-    strcat (buf, "Splits into two name tokens");
+-	agerror(AGERROR_SYNTAX,buf);
+-    return 1;
+-  }
+-  else return 0;
++    unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
++    if (!isdigit(c) && (c != '.')) {  /* c is letter */
++	unsigned char xbuf[BUFSIZ];
++	char buf[BUFSIZ];
++	agxbuf  xb;
++	char* fname;
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++
++	agxbput(&xb,"syntax ambiguity - badly delimited number '");
++	agxbput(&xb,yytext);
++	sprintf(buf,"' in line %d", line_num);
++	agxbput(&xb,buf);
++	agxbput(&xb, " splits into two tokens\n");
++	agerror(AGERROR_SYNTAX,agxbuse(&xb));
++
++	agxbfree(&xb);
++	return 1;
++    }
++    else return 0;
+ }
+ 
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
diff --git a/graphviz.spec b/graphviz.spec
index 7644e24..56ef91a 100644
--- a/graphviz.spec
+++ b/graphviz.spec
@@ -7,14 +7,17 @@
 #-- graphviz src.rpm --------------------------------------------------------
 Name:		graphviz
 Version:	2.12
-Release:	9%{?dist}
+Release:	10%{?dist}
 
 License:	CPL
 URL:		http://www.graphviz.org/
 Source:		http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-2.12.tar.gz
 Patch0:		%{name}-php5.patch
 Patch1:		%{name}-libcdt.patch
-Patch2:		graphviz-2.12-yyerror-overflow-fix.patch
+# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
+Patch2:		graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
+# Fix chknum overflow (CVE-2014-1236)
+Patch3:		graphviz-2.12-CVE-2014-1236.patch
 
 # graphviz is relocatable
 #Prefix: /usr
@@ -409,7 +412,8 @@ Provides some additional PDF and HTML documentation for graphviz.
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
+%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
+%patch3 -p1 -b .CVE-2014-1236
 
 %build
 # XXX ix86 only used to have -ffast-math, let's use everywhere
@@ -446,9 +450,15 @@ rm -rf $RPM_BUILD_ROOT
 #-- changelog --------------------------------------------------
 
 %changelog
+* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.12-10
+- Prevent possible buffer overflow in yyerror()
+  Resolves: CVE-2014-1235
+- Fix possible buffer overflow problem in chkNum of scanner
+  Resolves: CVE-2014-1236
+
 * Tue Jan  7 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 2.12-9
 - Fixed overflow in yyerror
-  Resolves: rhbz#1049168
+  Resolves: CVE-2014-0978
 - Fixed malformed php5 patch due to distgit conversion
 
 * Thu May 24 2007 Patrick "Jima" Laughton <jima at beer.tclug.org> 2.12-8

More information about the scm-commits mailing list