oss-sec mailing list archives

Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()

From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 8 Jan 2014 11:15:47 +0100

Hi

Funny enough that tools like graphviz qualify for CVE assignments :)

Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.

Seems like the initial fix:

https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a

also contains a sprintf() which is also later removed by commit

d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.

And finally there also is:


/* chkNum:
 * The regexp for NUMBER allows a terminating letter.
 * This way we can catch a number immediately followed by a name
 * and report this to the user.
 */
static int chkNum(void) {
  unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
  if (!isdigit(c) && (c != '.')) {  /* c is letter */
        char    buf[BUFSIZ];
        sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
    strcat (buf, "splits into two name tokens\n");
        agerr(AGWARN,buf);
    return 1;
  }
  else return 0;
}


which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)

So for the 3 potential victims, we need to fix that too :)

Sebastian


On Tue, Jan 07, 2014 at 05:19:07PM -0500, cve-assign () mitre org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

an error within the "yyerror()"
function (lib/cgraph/scan.l) and can be exploited to cause a stack-based
buffer overflow via a specially crafted file.


Use CVE-2014-0978.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzH0dAAoJEKllVAevmvmsdcAIALBfNun5cNjVGVEVmWYQIncL
cZIWWhasJDtZoSSP7sEqSWUnTvIft/9Ke6O6dCykngQo6kIEQYqUfxeKpB2c+Asi
b144u4i7nLyustXMCAHkJ58Z2sr5+IfvrjY8g7MzCQU3eRVw4O4NcNGK7qmU3nyv
D3YX3b4ON2a6FWmGNFYmo9aJ7x1suMIjXKPqM7m//+6qpEdSH7kETMvLR86lJZuj
L2FBvbPVvpN8VgAMrASONQBMsVAaqXDSuizQgfAxqktqBCO/8lSsJ+0kE4ybMHkr
gN1hL4z+mo7gkVqeaemtds41ZaM51pAQvp+vkUGx3y35SppqcxiSr55GqjZTBts=
=F0p9
-----END PGP SIGNATURE-----


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team

Current thread:

CVE Request: graphviz: stack-based buffer overflow in yyerror() Ratul Gupta (Jan 06)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 07)
  - Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer (Jan 08)
    - Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Russ Allbery (Jan 08)
    - Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Emden R. Gansner (Jan 08)
    - Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 08)