oss-sec mailing list archives
Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 8 Jan 2014 11:15:47 +0100
Hi Funny enough that tools like graphviz qualify for CVE assignments :) Do not get me wrong, I really like graphviz, its a great tool and I use it myself; but probably like 2 scientists or 1 anti-terror fed plotting his graphs in the whole world would be targeted attacked using dot files sent via mail I guess. Seems like the initial fix: https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a also contains a sprintf() which is also later removed by commit d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons. And finally there also is: /* chkNum: * The regexp for NUMBER allows a terminating letter. * This way we can catch a number immediately followed by a name * and report this to the user. */ static int chkNum(void) { unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ if (!isdigit(c) && (c != '.')) { /* c is letter */ char buf[BUFSIZ]; sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile); strcat (buf, "splits into two name tokens\n"); agerr(AGWARN,buf); return 1; } else return 0; } which also looks like a buffer overflow from user input; yet unfixed. (the regex seems to accept arbitrary long digit list) So for the 3 potential victims, we need to fix that too :) Sebastian On Tue, Jan 07, 2014 at 05:19:07PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1an error within the "yyerror()" function (lib/cgraph/scan.l) and can be exploited to cause a stack-based buffer overflow via a specially crafted file.Use CVE-2014-0978. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzH0dAAoJEKllVAevmvmsdcAIALBfNun5cNjVGVEVmWYQIncL cZIWWhasJDtZoSSP7sEqSWUnTvIft/9Ke6O6dCykngQo6kIEQYqUfxeKpB2c+Asi b144u4i7nLyustXMCAHkJ58Z2sr5+IfvrjY8g7MzCQU3eRVw4O4NcNGK7qmU3nyv D3YX3b4ON2a6FWmGNFYmo9aJ7x1suMIjXKPqM7m//+6qpEdSH7kETMvLR86lJZuj L2FBvbPVvpN8VgAMrASONQBMsVAaqXDSuizQgfAxqktqBCO/8lSsJ+0kE4ybMHkr gN1hL4z+mo7gkVqeaemtds41ZaM51pAQvp+vkUGx3y35SppqcxiSr55GqjZTBts= =F0p9 -----END PGP SIGNATURE-----
-- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- CVE Request: graphviz: stack-based buffer overflow in yyerror() Ratul Gupta (Jan 06)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 07)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Russ Allbery (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Emden R. Gansner (Jan 08)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer (Jan 08)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 07)