Hi Attached is the proposed debdiff (not yet tested at all) for wheezy according to the upstream fixes targetting wheezy-security.
Regards, Salvatore
diff -Nru graphviz-2.26.3/debian/changelog graphviz-2.26.3/debian/changelog --- graphviz-2.26.3/debian/changelog 2013-03-12 03:03:28.000000000 +0100 +++ graphviz-2.26.3/debian/changelog 2014-01-11 14:35:12.000000000 +0100 @@ -1,3 +1,15 @@ +graphviz (2.26.3-14+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2014-0978.patch patch. + CVE-2014-0978: Fix stack-based buffer overflow due to a boundary error + in the "yyerror()" function. (Closes: #734745) + * Add CVE-2014-1236.patch. + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) (Closes: #734745) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 11 Jan 2014 14:34:32 +0100 + graphviz (2.26.3-14) unstable; urgency=low * Use system ltdl in place of version in subdir (Closes: #702436) diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-0978.patch graphviz-2.26.3/debian/patches/CVE-2014-0978.patch --- graphviz-2.26.3/debian/patches/CVE-2014-0978.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-0978.patch 2014-01-11 14:35:12.000000000 +0100 @@ -0,0 +1,51 @@ +Description: Fix stack-based buffer overflow + CVE-2014-0978: Fix stack-based buffer overflow due to a boundary error + in the "yyerror()" function. +Origin: upstream, https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a + https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750 +Bug-Debian: http://bugs.debian.org/734745 +Bug-Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=497274 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1049165 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -19,6 +19,7 @@ + %{ + #include <grammar.h> + #include <cghdr.h> ++#include <agxbuf.h> + #include <ctype.h> + #define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */ + /* this is a workaround for linux flex */ +@@ -193,13 +194,22 @@ + %% + void yyerror(char *str) + { ++ unsigned char xbuf[BUFSIZ]; + char buf[BUFSIZ]; +- if (InputFile) +- sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num, +- str,line_num,yytext); +- else +- sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext); +- agerr(AGWARN,buf); ++ agxbuf xb; ++ ++ agxbinit(&xb, BUFSIZ, xbuf); ++ if (InputFile) { ++ agxbput (&xb, InputFile); ++ agxbput (&xb, ": "); ++ } ++ agxbput (&xb, str); ++ sprintf(buf," in line %d near '", line_num); ++ agxbput (&xb, buf); ++ agxbput (&xb, yytext); ++ agxbput (&xb,"'\n"); ++ agerr(AGWARN,agxbuse(&xb)); ++ agxbfree(&xb); + } + /* must be here to see flex's macro defns */ + void aglexeof() { unput(GRAPH_EOF_TOKEN); } diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-1236.patch graphviz-2.26.3/debian/patches/CVE-2014-1236.patch --- graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 2014-01-11 14:35:12.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Fix possible buffer overflow problem in chkNum of scanner + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) +Origin: backport, https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff +Bug-Debian: http://bugs.debian.org/734745 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1050872 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -131,15 +131,32 @@ + * and report this to the user. + */ + static int chkNum(void) { +- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ +- if (!isdigit(c) && (c != '.')) { /* c is letter */ +- char buf[BUFSIZ]; +- sprintf(buf,"syntax error - badly formed number '%s' in line %d\n",yytext,line_num); +- strcat (buf, "splits into two name tokens"); +- agerr(AGWARN,buf); +- return 1; +- } +- else return 0; ++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ ++ if (!isdigit(c) && (c != '.')) { /* c is letter */ ++ unsigned char xbuf[BUFSIZ]; ++ char buf[BUFSIZ]; ++ agxbuf xb; ++ char* fname; ++ ++ if (InputFile) ++ fname = InputFile; ++ else ++ fname = "input"; ++ ++ agxbinit(&xb, BUFSIZ, xbuf); ++ ++ agxbput(&xb,"syntax ambiguity - badly delimited number '"); ++ agxbput(&xb,yytext); ++ sprintf(buf,"' in line %d of ", line_num); ++ agxbput(&xb,buf); ++ agxbput(&xb,fname); ++ agxbput(&xb, " splits into two tokens\n"); ++ agerr(AGWARN,agxbuse(&xb)); ++ ++ agxbfree(&xb); ++ return 1; ++ } ++ else return 0; + } + + /* The LETTER class below consists of ascii letters, underscore, all non-ascii diff -Nru graphviz-2.26.3/debian/patches/series graphviz-2.26.3/debian/patches/series --- graphviz-2.26.3/debian/patches/series 2013-03-12 02:51:27.000000000 +0100 +++ graphviz-2.26.3/debian/patches/series 2014-01-11 14:35:12.000000000 +0100 @@ -16,3 +16,5 @@ explicit_ruby_1.8 kfreebsd-hang.patch use-system-ltdl.patch +CVE-2014-0978.patch +CVE-2014-1236.patch
signature.asc
Description: Digital signature
