oss-sec mailing list archives
Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()
From: Russ Allbery <eagle () eyrie org>
Date: Wed, 08 Jan 2014 09:11:10 -0800
Sebastian Krahmer <krahmer () suse de> writes:
Funny enough that tools like graphviz qualify for CVE assignments :)
Do not get me wrong, I really like graphviz, its a great tool and I use it myself; but probably like 2 scientists or 1 anti-terror fed plotting his graphs in the whole world would be targeted attacked using dot files sent via mail I guess.
I wouldn't be so certain. :) I've gotten dot files in email a fair bit while working on free software projects since it's a really useful way of expressing dependency trees and similar structures. So the possibility of a targetted exploit is there, particularly given that mailing list traffic is generally completely unauthenticated. It's not hard for someone to pretend to be another participant and mail a doctored dot file to a development team. The deception would probably be discovered reasonably quickly, but possibly not before damage was done. -- Russ Allbery (eagle () eyrie org) <http://www.eyrie.org/~eagle/>
Current thread:
- CVE Request: graphviz: stack-based buffer overflow in yyerror() Ratul Gupta (Jan 06)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 07)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Russ Allbery (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Emden R. Gansner (Jan 08)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 08)
- Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() Sebastian Krahmer (Jan 08)
- Re: CVE Request: graphviz: stack-based buffer overflow in yyerror() cve-assign (Jan 07)