From 90c4f35ee2cf8e3a3556e47d3d2c4fb75807ee49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Wed, 24 Apr 2019 13:48:57 +0200 Subject: [PATCH] Fixed null pointer dereference in function agroot() Resolves: CVE-2019-11023 --- graphviz-2.40.1-CVE-2019-11023.patch | 64 ++++++++++++++++++++++++++++ graphviz.spec | 8 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 graphviz-2.40.1-CVE-2019-11023.patch diff --git a/graphviz-2.40.1-CVE-2019-11023.patch b/graphviz-2.40.1-CVE-2019-11023.patch new file mode 100644 index 0000000..bb4aa16 --- /dev/null +++ b/graphviz-2.40.1-CVE-2019-11023.patch @@ -0,0 +1,64 @@ +diff --git a/cmd/tools/graphml2gv.c b/cmd/tools/graphml2gv.c +index 7b8214b..0910d99 100644 +--- a/cmd/tools/graphml2gv.c ++++ b/cmd/tools/graphml2gv.c +@@ -477,8 +477,10 @@ startElementHandler(void *userData, const char *name, const char **atts) + if (pos > 0) { + const char *attrname; + attrname = atts[pos]; +- +- bind_node(attrname); ++ if (G == 0) ++ fprintf(stderr,"node %s outside graph, ignored\n",attrname); ++ else ++ bind_node(attrname); + + pushString(&ud->elements, attrname); + } +@@ -504,21 +506,25 @@ startElementHandler(void *userData, const char *name, const char **atts) + if (tname) + head = tname; + +- bind_edge(tail, head); ++ if (G == 0) ++ fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head); ++ else { ++ bind_edge(tail, head); + +- t = AGTAIL(E); +- tname = agnameof(t); ++ t = AGTAIL(E); ++ tname = agnameof(t); + +- if (strcmp(tname, tail) == 0) { +- ud->edgeinverted = FALSE; +- } else if (strcmp(tname, head) == 0) { +- ud->edgeinverted = TRUE; +- } ++ if (strcmp(tname, tail) == 0) { ++ ud->edgeinverted = FALSE; ++ } else if (strcmp(tname, head) == 0) { ++ ud->edgeinverted = TRUE; ++ } + +- pos = get_xml_attr("id", atts); +- if (pos > 0) { +- setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); +- } ++ pos = get_xml_attr("id", atts); ++ if (pos > 0) { ++ setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); ++ } ++ } + } else { + /* must be some extension */ + fprintf(stderr, +@@ -539,7 +545,7 @@ static void endElementHandler(void *userData, const char *name) + char *ele_name = topString(ud->elements); + if (ud->closedElementType == TAG_GRAPH) { + Agnode_t *node = agnode(root, ele_name, 0); +- agdelete(root, node); ++ if (node) agdelete(root, node); + } + popString(&ud->elements); + Current_class = TAG_GRAPH; diff --git a/graphviz.spec b/graphviz.spec index f47ad87..279bfc7 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -61,7 +61,7 @@ Name: graphviz Summary: Graph Visualization Tools Version: 2.40.1 -Release: 37%{?dist} +Release: 38%{?dist} License: EPL URL: http://www.graphviz.org/ # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371 @@ -72,6 +72,7 @@ Patch1: graphviz-2.40.1-python3.patch Patch2: graphviz-2.40.1-CVE-2018-10196.patch # rhbz#1505230 Patch3: graphviz-2.40.1-dotty-menu-fix.patch +Patch5: graphviz-2.40.1-CVE-2019-11023.patch BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel @@ -287,6 +288,7 @@ Various tcl packages (extensions) for the graphviz tools. %patch1 -p1 -b .python3 %patch2 -p1 -b .CVE-2018-10196 %patch3 -p1 -b .dotty-menu-fix +%patch5 -p1 -b .CVE-2019-11023 # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -602,6 +604,10 @@ php --no-php-ini \ %{_mandir}/man3/*.3tcl* %changelog +* Wed Apr 24 2019 Jaroslav Škarvada - 2.40.1-38 +- Fixed null pointer dereference in function agroot() + Resolves: CVE-2019-11023 + * Wed Sep 26 2018 Kevin Fenzi - 2.40.1-37 - Don't fail on post scriptlet failures.