Bugzilla – Bug 908426
VUL-0: CVE-2014-9157: graphviz: format string vulnerability
Last modified: 2017-12-06 02:09:33 UTC
rh#1167866 Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. References: https://bugzilla.redhat.com/show_bug.cgi?id=1167866 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9157 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9157.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157 http://xforce.iss.net/xforce/xfdb/98949 http://secunia.com/advisories/60166 http://seclists.org/oss-sec/2014/q4/872 http://seclists.org/oss-sec/2014/q4/784 https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 http://www.securityfocus.com/bid/71283
bugbot adjusting priority
Only 13.2 and factory need to be fixed as all other distribution use older versions that don't have the bug.
(In reply to Philipp Thomas from comment #2) Can you provide a submit please?
Submitted for 42.2 with sr#546041 Submitted for 42.3 with sr#546039
(In reply to Philipp Thomas from comment #6) > Submitted for 42.3 with sr#546039 Does not build for Leap 42.3.
Security bugs to remain open until closed by security team
fixed that for you... https://build.opensuse.org/request/show/546099
releasing, done
openSUSE-SU-2017:3222-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 908426 CVE References: CVE-2014-9157 Sources used: openSUSE Leap 42.3 (src): graphviz-2.38.0-9.1, graphviz-gvedit-2.38.0-9.1, graphviz-plugins-2.38.0-9.3, graphviz-smyrna-2.38.0-9.1 openSUSE Leap 42.2 (src): graphviz-2.38.0-4.5.1, graphviz-gvedit-2.38.0-4.5.1, graphviz-plugins-2.38.0-4.5.3, graphviz-smyrna-2.38.0-4.5.1