Bugzilla – Bug 908426
VUL-0: CVE-2014-9157: graphviz: format string vulnerability
Last modified: 2017-12-06 02:09:33 UTC
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in
Graphviz allows remote attackers to have unspecified impact via format string
specifiers in unknown vector, which are not properly handled in an error string.
bugbot adjusting priority
Only 13.2 and factory need to be fixed as all other distribution use older versions that don't have the bug.
(In reply to Philipp Thomas from comment #2)
Can you provide a submit please?
Submitted for 42.2 with sr#546041
Submitted for 42.3 with sr#546039
(In reply to Philipp Thomas from comment #6)
> Submitted for 42.3 with sr#546039
Does not build for Leap 42.3.
Security bugs to remain open until closed by security team
fixed that for you...
openSUSE-SU-2017:3222-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 908426
CVE References: CVE-2014-9157
openSUSE Leap 42.3 (src): graphviz-2.38.0-9.1, graphviz-gvedit-2.38.0-9.1, graphviz-plugins-2.38.0-9.3, graphviz-smyrna-2.38.0-9.1
openSUSE Leap 42.2 (src): graphviz-2.38.0-4.5.1, graphviz-gvedit-2.38.0-4.5.1, graphviz-plugins-2.38.0-4.5.3, graphviz-smyrna-2.38.0-4.5.1