GNU bug report logs -
#48385
[PATCH] gnu: Graphviz: Fix CVE-2020-18032.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 12 May 2021 22:30:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48385 in the body.
You can then email your comments to 48385 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48385; Package
guix-patches.
(Wed, 12 May 2021 22:30:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 12 May 2021 22:30:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/graphviz-CVE-2020-18032.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/graphviz.scm (graphviz)[replacement]: New field.
(graphviz/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/graphviz.scm | 10 ++++
.../patches/graphviz-CVE-2020-18032.patch | 49 +++++++++++++++++++
3 files changed, 60 insertions(+)
create mode 100644 gnu/packages/patches/graphviz-CVE-2020-18032.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 01d495d41d..5601b5b698 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1164,6 +1164,7 @@ dist_patch_DATA = \
%D%/packages/patches/gpodder-disable-updater.patch \
%D%/packages/patches/gpsbabel-fix-i686-test.patch \
%D%/packages/patches/grantlee-merge-theme-dirs.patch \
+ %D%/packages/patches/graphviz-CVE-2020-18032.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
%D%/packages/patches/grocsvs-dont-use-admiral.patch \
%D%/packages/patches/gromacs-tinyxml2.patch \
diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm
index eb3fd1d583..72c96655bc 100644
--- a/gnu/packages/graphviz.scm
+++ b/gnu/packages/graphviz.scm
@@ -62,6 +62,7 @@
(define-public graphviz
(package
(name "graphviz")
+ (replacement graphviz/fixed)
(version "2.42.3")
(source (origin
(method url-fetch)
@@ -126,6 +127,15 @@ software engineering, database and web design, machine learning, and in visual
interfaces for other technical domains.")
(license license:epl1.0)))
+(define-public graphviz/fixed
+ (hidden-package
+ (package
+ (inherit graphviz)
+ (source (origin
+ (inherit (package-source graphviz))
+ (patches (append (search-patches "graphviz-CVE-2020-18032.patch")
+ (origin-patches (package-source graphviz)))))))))
+
;; Older Graphviz needed for pygraphviz. See
;; https://github.com/pygraphviz/pygraphviz/issues/175
(define-public graphviz-2.38
diff --git a/gnu/packages/patches/graphviz-CVE-2020-18032.patch b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
new file mode 100644
index 0000000000..4cf94a9a36
--- /dev/null
+++ b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
@@ -0,0 +1,49 @@
+Fix CVE-2020-18032:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-18032
+https://gitlab.com/graphviz/graphviz/-/issues/1700
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
+
+From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez <at> gmail.com>
+Date: Sat, 25 Jul 2020 19:31:01 -0700
+Subject: [PATCH] fix: out-of-bounds write on invalid label
+
+When the label for a node cannot be parsed (due to it being malformed), it falls
+back on the symbol name of the node itself. I.e. the default label the node
+would have had if it had no label attribute at all. However, this is applied by
+dynamically altering the node's label to "\N", a shortcut for the symbol name of
+the node. All of this is fine, however if the hand written label itself is
+shorter than the literal string "\N", not enough memory would have been
+allocated to write "\N" into the label text.
+
+Here we account for the possibility of error during label parsing, and assume
+that the label text may need to be overwritten with "\N" after the fact. Fixes
+issue #1700.
+---
+ lib/common/shapes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+ reclblp = ND_label(n)->text;
+ len = strlen(reclblp);
+ /* For some forgotten reason, an empty label is parsed into a space, so
+- * we need at least two bytes in textbuf.
++ * we need at least two bytes in textbuf, as well as accounting for the
++ * error path involving "\\N" below.
+ */
+- len = MAX(len, 1);
++ len = MAX(MAX(len, 1), (int)strlen("\\N"));
+ textbuf = N_NEW(len + 1, char);
+ if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
+--
+2.31.1
+
--
2.31.1
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sat, 15 May 2021 23:16:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sat, 15 May 2021 23:16:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 48385-done <at> debbugs.gnu.org (full text, mbox):
Pushed as 7c4c781aa40c42d4cd10b8d9482199f3db345e1b
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 13 Jun 2021 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 9 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.