Fixed format string vulnerability
Resolves: rhbz#1167869
This commit is contained in:
parent
99ce361b11
commit
a3626aee12
13
graphviz-2.12-format-string.patch
Normal file
13
graphviz-2.12-format-string.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/lib/agraph/scan.l b/lib/agraph/scan.l
|
||||||
|
index 02eaaab..799ff89 100644
|
||||||
|
--- a/lib/agraph/scan.l
|
||||||
|
+++ b/lib/agraph/scan.l
|
||||||
|
@@ -179,7 +179,7 @@ void yyerror(char *str)
|
||||||
|
agxbput (&xb, buf);
|
||||||
|
agxbput (&xb, yytext);
|
||||||
|
agxbput (&xb,"'\n");
|
||||||
|
- agerror(AGERROR_SYNTAX,agxbuse(&xb));
|
||||||
|
+ agerror(AGERROR_SYNTAX, "%s", agxbuse(&xb));
|
||||||
|
agxbfree(&xb);
|
||||||
|
}
|
||||||
|
/* must be here to see flex's macro defns */
|
@ -7,7 +7,7 @@
|
|||||||
#-- graphviz src.rpm --------------------------------------------------------
|
#-- graphviz src.rpm --------------------------------------------------------
|
||||||
Name: graphviz
|
Name: graphviz
|
||||||
Version: 2.12
|
Version: 2.12
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
|
|
||||||
License: CPL
|
License: CPL
|
||||||
URL: http://www.graphviz.org/
|
URL: http://www.graphviz.org/
|
||||||
@ -18,6 +18,8 @@ Patch1: %{name}-libcdt.patch
|
|||||||
Patch2: graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
|
Patch2: graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
|
||||||
# Fix chknum overflow (CVE-2014-1236)
|
# Fix chknum overflow (CVE-2014-1236)
|
||||||
Patch3: graphviz-2.12-CVE-2014-1236.patch
|
Patch3: graphviz-2.12-CVE-2014-1236.patch
|
||||||
|
# Backported from upstream
|
||||||
|
Patch4: graphviz-2.12-format-string.patch
|
||||||
|
|
||||||
# graphviz is relocatable
|
# graphviz is relocatable
|
||||||
#Prefix: /usr
|
#Prefix: /usr
|
||||||
@ -414,6 +416,7 @@ Provides some additional PDF and HTML documentation for graphviz.
|
|||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
||||||
%patch3 -p1 -b .CVE-2014-1236
|
%patch3 -p1 -b .CVE-2014-1236
|
||||||
|
%patch4 -p1 -b .format-string
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# XXX ix86 only used to have -ffast-math, let's use everywhere
|
# XXX ix86 only used to have -ffast-math, let's use everywhere
|
||||||
@ -450,6 +453,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
#-- changelog --------------------------------------------------
|
#-- changelog --------------------------------------------------
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 25 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-11
|
||||||
|
- Fixed format string vulnerability
|
||||||
|
Resolves: rhbz#1167869
|
||||||
|
|
||||||
* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-10
|
* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-10
|
||||||
- Prevent possible buffer overflow in yyerror()
|
- Prevent possible buffer overflow in yyerror()
|
||||||
Resolves: CVE-2014-1235
|
Resolves: CVE-2014-1235
|
||||||
|
Loading…
Reference in New Issue
Block a user