Bug#772648: graphviz: format string vulnerability (CVE-2014-9157)
Package: graphviz Version: 2.38.0-6 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu vivid ubuntu-patch *** /tmp/tmp5q_TKj/bug_body In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Format string vulnerability may allow attackers to cause a denial of service or possibly execute code. - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in lib/cgraph/scan.l yyerror() routine. - CVE-2014-9157 Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers utopic-updates APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru graphviz-2.38.0/debian/changelog graphviz-2.38.0/debian/changelog diff -Nru graphviz-2.38.0/debian/patches/CVE-2014-9157.patch graphviz-2.38.0/debian/patches/CVE-2014-9157.patch --- graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 1969-12-31 19:00:00.0 -0500 +++ graphviz-2.38.0/debian/patches/CVE-2014-9157.patch 2014-12-09 09:09:43.0 -0500 @@ -0,0 +1,21 @@ +Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine +Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 +Author: Emden R. Gansner + +--- + lib/cgraph/scan.l |2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/lib/cgraph/scan.l +=== +--- a/lib/cgraph/scan.l b/lib/cgraph/scan.l +@@ -225,7 +225,7 @@ + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff -Nru graphviz-2.38.0/debian/patches/series graphviz-2.38.0/debian/patches/series --- graphviz-2.38.0/debian/patches/series 2014-09-01 17:13:51.0 -0400 +++ graphviz-2.38.0/debian/patches/series 2014-12-09 09:09:43.0 -0500 @@ -11,3 +11,4 @@ reduce-lab-color.patch add-libm-to-dot-link.patch versioned-plugin-config-file.diff +CVE-2014-9157.patch
Bug#795429: CVE-2015-5177
Package: openslp-dfsg
Version: 1.2.1-10
Followup-For: Bug #795429
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch
*** /tmp/tmpHzlE84/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service via double free flaw
- debian/patches/CVE-2015-5177.patch: fix double free if
SLPDKnownDAAdd() fails in slpd/slpd_knownda.c.
- CVE-2015-5177
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500,
'vivid-proposed'), (500, 'vivid'), (100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-27-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru openslp-dfsg-1.2.1/debian/changelog openslp-dfsg-1.2.1/debian/changelog
diff -Nru openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch
--- openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch 1969-12-31 19:00:00.0 -0500
+++ openslp-dfsg-1.2.1/debian/patches/CVE-2015-5177.patch 2015-08-28 15:29:54.0 -0400
@@ -0,0 +1,30 @@
+Description: fix denial of service via double free flaw
+Origin: backport, http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795429
+
+Index: openslp-dfsg-1.2.1/slpd/slpd_knownda.c
+===
+--- openslp-dfsg-1.2.1.orig/slpd/slpd_knownda.c 2005-02-08 00:34:31.0 -0500
openslp-dfsg-1.2.1/slpd/slpd_knownda.c 2015-08-28 15:27:26.098428039 -0400
+@@ -823,15 +823,15 @@
+ */
+ SLPDLogDAAdvertisement("Removed",entry);
+ }
++/* If we are here, we need to cleanup the message descriptor and the */
++/* message buffer because they were not added to the database and not */
++/* cleaning them up would result in a memory leak. This is because we */
++/* return zero, so the caller thinks it must not do the cleanup. */
++SLPMessageFree(msg);
++SLPBufferFree(buf);
+ }
+
+ CLEANUP:
+-/* If we are here, we need to cleanup the message descriptor and the */
+-/* message buffer because they were not added to the database and not */
+-/* cleaning them up would result in a memory leak */
+-/* We also need to make sure the Database handle is closed. */
+-SLPMessageFree(msg);
+-SLPBufferFree(buf);
+ if (dh) SLPDatabaseClose(dh);
+
+ return result;
diff -Nru openslp-dfsg-1.2.1/debian/patches/series openslp-dfsg-1.2.1/debian/patches/series
--- openslp-dfsg-1.2.1/debian/patches/series 2014-07-25 10:14:50.0 -0400
+++ openslp-dfsg-1.2.1/debian/patches/series 2015-08-28 15:23:23.0 -0400
@@ -4,3 +4,4 @@
fix-typo.patch
fix-automake-cond-spelling.patch
CVE-2012-4428.patch
+CVE-2015-5177.patch
