Bugzilla – Bug 1132091
VUL-1: CVE-2019-11023: graphviz: The agroot() function in cgraph\obj.c in libcgraph.a has a NULL pointer dereference
Last modified: 2021-07-28 10:59:59 UTC
CVE-2019-11023 The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11023 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11023.html http://www.cvedetails.com/cve/CVE-2019-11023/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11023 https://research.loginsoft.com/bugs/null-pointer-dereference-in-function-agroot/ https://gitlab.com/graphviz/graphviz/issues/1517
There is an upstream fix at [1] and a reproducer at [2]. The reproducer can only be tested in sle15 because it uses the binary graphml2gv. I tested successfully. However, aggroot() can be found also in SLE12 and SLE12-SP2 which make these versions also potentially affected. The proposed fixed may be also partially backported. SLE11 seems not affected To reproduce the issue, one should run valgrind --leak-check=full grap2graph -g cooldude –o test.gv $POC [1]https://gitlab.com/graphviz/graphviz/commit/839085f8026afd6f6920a0c31ad2a9d880d97932 [2] https://raw.githubusercontent.com/SegfaultMasters/covering360/master/Graphviz/NP
Fix is now in Factory and SLE15
Hello, during regression testing to ver 2.40.1-6.3.2 on SLE15, memory leaks are still present: dancer:~ # valgrind --leak-check=full grap2graph -g cooldude –o test.gv $POC ==1809== Memcheck, a memory error detector ==1809== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1809== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==1809== Command: /usr/bin/grap2graph -g cooldude –o test.gv ==1809== ==1811== ==1811== HEAP SUMMARY: ==1811== in use at exit: 46,738 bytes in 896 blocks ==1811== total heap usage: 2,629 allocs, 1,733 frees, 112,467 bytes allocated ==1811== ==1811== 66 bytes in 1 blocks are definitely lost in loss record 308 of 357 ==1811== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==1811== by 0x1B015D: xmalloc (in /bin/bash) ==1811== by 0x18C054: execute_command_internal (in /bin/bash) ==1811== by 0x1B138B: parse_and_execute (in /bin/bash) ==1811== by 0x1A763E: command_substitute (in /bin/bash) ==1811== by 0x19F1C7: ??? (in /bin/bash) ==1811== by 0x1A1866: ??? (in /bin/bash) ==1811== by 0x1A09B3: ??? (in /bin/bash) ==1811== by 0x18C7A4: ??? (in /bin/bash) ==1811== by 0x18B3BC: execute_command_internal (in /bin/bash) ==1811== by 0x18C530: execute_command (in /bin/bash) ==1811== by 0x1392B5: ??? (in /bin/bash) ==1811== ==1811== LEAK SUMMARY: ==1811== definitely lost: 66 bytes in 1 blocks ==1811== indirectly lost: 0 bytes in 0 blocks ==1811== possibly lost: 0 bytes in 0 blocks ==1811== still reachable: 46,672 bytes in 895 blocks ==1811== suppressed: 0 bytes in 0 blocks ==1811== Reachable blocks (those to which a pointer was found) are not shown. ==1811== To see them, rerun with: --leak-check=full --show-leak-kinds=all Full log can be found here : http://qam.suse.de/testreports/SUSE:Maintenance:10959:190907/bsc1132091_before.txt
Created attachment 803900 [details] POC QA REPRODUCER: graphml2gv POC should not crash
(In reply to Marcus Meissner from comment #6) > Created attachment 803900 [details] > POC > > QA REPRODUCER: > > graphml2gv POC > > should not crash Thanks, this one works: BEFORE: dancer:~ # graphml2gv POC Segmentation fault (core dumped) => REPRODUCED AFTER: dancer:~ # graphml2gv POC node n2 outside graph, ignored node n3 outside graph, ignored node n4 outside graph, ignored node n5 outside graph, ignored mismatched tag at line 22 digraph "n6:" { subgraph "n0:" { n6; } subgraph "" { } n6 -> n6 [_graphml_id=e11]; n2; n1 -> n0 [_graphml_id=e10]; } => FIXED
SUSE-SU-2019:1267-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Development Tools 15 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Basesystem 15 (src): graphviz-2.40.1-6.3.2 SUSE Linux Enterprise High Availability 15 (src): graphviz-addons-2.40.1-6.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1434-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: openSUSE Leap 15.1 (src): graphviz-2.40.1-lp151.6.3.1, graphviz-addons-2.40.1-lp151.6.3.1
SUSE-SU-2019:1267-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): graphviz-2.40.1-6.3.2 SUSE Linux Enterprise High Availability 15-SP1 (src): graphviz-addons-2.40.1-6.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0876-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: openSUSE Leap 15.2 (src): graphviz-2.40.1-lp152.7.2.1, graphviz-addons-2.40.1-lp152.7.3.1
openSUSE-SU-2020:0906-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: openSUSE Leap 15.2 (src): graphviz-2.40.1-lp152.7.4.2, graphviz-addons-2.40.1-lp152.7.4.2
SUSE-SU-2019:1267-3: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1132091 CVE References: CVE-2019-11023 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): graphviz-addons-2.40.1-6.3.2 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): graphviz-2.40.1-6.3.2 SUSE Linux Enterprise High Availability 15-SP2 (src): graphviz-addons-2.40.1-6.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.