Debian: DSA-2844-1 Important: OpenSSL Vulnerabilities Addressed
debian
January 13, 2014
Two buffer overflow vulnerabilities were reported in Graphviz, a rich collection of graph drawing tools
Topics Covered
Summary
CVE-2014-0978
It was discovered that user-supplied input used in the yyerror()
function in lib/cgraph/scan.l is not bound-checked before beeing
copied into an insufficiently sized memory buffer. A
context-dependent attacker could supply a specially crafted input
file containing a long line to cause a stack-based buffer overlow,
resulting in a denial of service (application crash) or potentially
allowing the execution of arbitrary code.
CVE-2014-1236
Sebastian Krahmer reported an overflow condition in the chkNum()
function in lib/cgraph/scan.l that is triggered as the used regular
expression accepts an arbitrary long digit list. With a specially
crafted input file, a context-dependent attacker can cause a
stack-based buffer overflow, resulting in a denial of service
(application crash) or potentially allowing the execution of
arbitrary code.
For the oldstable distribution (squeeze), these problems have been fixed in
version 2.26.3-5+squeeze2.
For...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: graphviz
CVE ID: CVE-2014-0978 CVE-2014-1236
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!