Dear David and Christoph, I've prepared an NMU for graphviz (versioned as 2.26.3-16.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer.
I have (for #734745) also packages ready for squeeze-security and wheezy-security, but I have not yet uploaded them. Regards, Salvatore
diff -Nru graphviz-2.26.3/debian/changelog graphviz-2.26.3/debian/changelog --- graphviz-2.26.3/debian/changelog 2013-12-23 18:55:30.000000000 +0100 +++ graphviz-2.26.3/debian/changelog 2014-01-12 17:09:27.000000000 +0100 @@ -1,3 +1,19 @@ +graphviz (2.26.3-16.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add CVE-2014-1235.patch patch. + CVE-2014-1235: buffer overflow vulnerability in yyerror() introduced by + original fix for CVE-2014-0978. (Closes: #734745) + * Add CVE-2014-1236.patch patch. + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) (Closes: #734745) + * Enable hardened build flags. + Thanks to Moritz Muehlenhoff <j...@debian.org> (Closes: #734804) + * Add fix-missing-format-string.patch patch. + Fixes missing format strings for printf and fprintf calls. + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 12 Jan 2014 14:37:45 +0100 + graphviz (2.26.3-16) unstable; urgency=medium * Add patch cherry-picked from upstream's github - fixes buffer diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-1235.patch graphviz-2.26.3/debian/patches/CVE-2014-1235.patch --- graphviz-2.26.3/debian/patches/CVE-2014-1235.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-1235.patch 2014-01-12 17:09:27.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Fix buffer overflow in yyerror() + CVE-2014-1235: buffer overflow vulnerability in yyerror() introduced by + original fix for CVE-2014-0978 +Origin: upstream, https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750 +Bug-Debian: http://bugs.debian.org/734745 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1050871 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -203,7 +203,8 @@ + agxbput (&xb, InputFile); + agxbput (&xb, ": "); + } +- sprintf(buf," %s in line %d near '", str,line_num); ++ agxbput (&xb, str); ++ sprintf(buf," in line %d near '", line_num); + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-1236.patch graphviz-2.26.3/debian/patches/CVE-2014-1236.patch --- graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 2014-01-12 17:09:27.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Fix possible buffer overflow problem in chkNum of scanner + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) +Origin: backport, https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff +Bug-Debian: http://bugs.debian.org/734745 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1050872 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -131,15 +131,32 @@ + * and report this to the user. + */ + static int chkNum(void) { +- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ +- if (!isdigit(c) && (c != '.')) { /* c is letter */ +- char buf[BUFSIZ]; +- sprintf(buf,"syntax error - badly formed number '%s' in line %d\n",yytext,line_num); +- strcat (buf, "splits into two name tokens"); +- agerr(AGWARN,buf); +- return 1; +- } +- else return 0; ++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ ++ if (!isdigit(c) && (c != '.')) { /* c is letter */ ++ unsigned char xbuf[BUFSIZ]; ++ char buf[BUFSIZ]; ++ agxbuf xb; ++ char* fname; ++ ++ if (InputFile) ++ fname = InputFile; ++ else ++ fname = "input"; ++ ++ agxbinit(&xb, BUFSIZ, xbuf); ++ ++ agxbput(&xb,"syntax ambiguity - badly delimited number '"); ++ agxbput(&xb,yytext); ++ sprintf(buf,"' in line %d of ", line_num); ++ agxbput(&xb,buf); ++ agxbput(&xb,fname); ++ agxbput(&xb, " splits into two tokens\n"); ++ agerr(AGWARN,agxbuse(&xb)); ++ ++ agxbfree(&xb); ++ return 1; ++ } ++ else return 0; + } + + /* The LETTER class below consists of ascii letters, underscore, all non-ascii diff -Nru graphviz-2.26.3/debian/patches/fix-missing-format-string.patch graphviz-2.26.3/debian/patches/fix-missing-format-string.patch --- graphviz-2.26.3/debian/patches/fix-missing-format-string.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/fix-missing-format-string.patch 2014-01-12 17:09:27.000000000 +0100 @@ -0,0 +1,94 @@ +Description: Fix missing format string +Origin: backport, https://github.com/ellson/graphviz/commit/1b3b90cd1afd712d1d7153377531f758797a7535 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-12 + +--- a/cmd/tools/bcomps.c ++++ b/cmd/tools/bcomps.c +@@ -315,7 +315,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/ccomps.c ++++ b/cmd/tools/ccomps.c +@@ -99,7 +99,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/dijkstra.c ++++ b/cmd/tools/dijkstra.c +@@ -237,7 +237,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/gc.c ++++ b/cmd/tools/gc.c +@@ -86,7 +86,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/gvcolor.c ++++ b/cmd/tools/gvcolor.c +@@ -88,7 +88,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/gvpack.c ++++ b/cmd/tools/gvpack.c +@@ -92,7 +92,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/cmd/tools/nop.c ++++ b/cmd/tools/nop.c +@@ -42,7 +42,7 @@ + + static void usage(int v) + { +- printf(useString); ++ printf("%s",useString); + exit(v); + } + +--- a/lib/ortho/ortho.c ++++ b/lib/ortho/ortho.c +@@ -1450,7 +1450,7 @@ + absbb.LL.x = absbb.LL.y = MAXDOUBLE; + absbb.UR.x = absbb.UR.y = -MAXDOUBLE; + +- fprintf (fp, prolog2); ++ fprintf (fp, "%s", prolog2); + fprintf (fp, "%d %d translate\n", TRANS, TRANS); + + fputs ("0 0 1 setrgbcolor\n", fp); diff -Nru graphviz-2.26.3/debian/patches/series graphviz-2.26.3/debian/patches/series --- graphviz-2.26.3/debian/patches/series 2013-12-23 18:54:30.000000000 +0100 +++ graphviz-2.26.3/debian/patches/series 2014-01-12 17:09:27.000000000 +0100 @@ -17,3 +17,6 @@ kfreebsd-hang.patch use-system-ltdl.patch buffer_overflow.patch +CVE-2014-1235.patch +CVE-2014-1236.patch +fix-missing-format-string.patch diff -Nru graphviz-2.26.3/debian/rules graphviz-2.26.3/debian/rules --- graphviz-2.26.3/debian/rules 2013-12-23 18:54:30.000000000 +0100 +++ graphviz-2.26.3/debian/rules 2014-01-12 17:09:27.000000000 +0100 @@ -39,6 +39,11 @@ CONFIG_SCRIPTS=config/config.guess lib/gd/config/config.guess libltdl/config.guess \ config/config.sub lib/gd/config/config.sub libltdl/config.sub +# make's $(shell) doesn't use local variables, thus we need to define a +# custom command where DEB_LDFLAGS_MAINT_APPEND is passed. +# See: https://wiki.debian.org/HardeningWalkthrough#dpkg-buildflags +dpkg_buildflags = DEB_LDFLAGS_MAINT_APPEND="-Wl,--as-needed" dpkg-buildflags + configure: configure-stamp configure-stamp: dh_testdir @@ -74,7 +79,7 @@ --disable-sharp \ $(shell echo $(PYTHON_VERSIONS) | sed -e's,python,--enable-python,g' -e 's,\.,,g') \ $(CONFIGURE_LIBS) \ - LDFLAGS="-Wl,--as-needed" + $(shell $(dpkg_buildflags) --export=configure) touch configure-stamp build-arch: build
signature.asc
Description: Digital signature
