From cc965475c9e4df17271473124590d0d4f6a527e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Wed, 26 May 2021 14:58:03 +0200 Subject: [PATCH] Fixed buffer overflow in lib/common/shapes.c Resolves: CVE-2020-18032 Resolves: rhbz#1963395 --- graphviz-2.44.0-CVE-2020-18032.patch | 40 ++++++++++++++++++++++++++++ graphviz.spec | 9 ++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 graphviz-2.44.0-CVE-2020-18032.patch diff --git a/graphviz-2.44.0-CVE-2020-18032.patch b/graphviz-2.44.0-CVE-2020-18032.patch new file mode 100644 index 0000000..b3b0ab9 --- /dev/null +++ b/graphviz-2.44.0-CVE-2020-18032.patch @@ -0,0 +1,40 @@ +From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Sat, 25 Jul 2020 19:31:01 -0700 +Subject: [PATCH] fix: out-of-bounds write on invalid label + +When the label for a node cannot be parsed (due to it being malformed), it falls +back on the symbol name of the node itself. I.e. the default label the node +would have had if it had no label attribute at all. However, this is applied by +dynamically altering the node's label to "\N", a shortcut for the symbol name of +the node. All of this is fine, however if the hand written label itself is +shorter than the literal string "\N", not enough memory would have been +allocated to write "\N" into the label text. + +Here we account for the possibility of error during label parsing, and assume +that the label text may need to be overwritten with "\N" after the fact. Fixes +issue #1700. +--- + lib/common/shapes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/common/shapes.c b/lib/common/shapes.c +index 0a0635fc3..9dca9ba6e 100644 +--- a/lib/common/shapes.c ++++ b/lib/common/shapes.c +@@ -3546,9 +3546,10 @@ static void record_init(node_t * n) + reclblp = ND_label(n)->text; + len = strlen(reclblp); + /* For some forgotten reason, an empty label is parsed into a space, so +- * we need at least two bytes in textbuf. ++ * we need at least two bytes in textbuf, as well as accounting for the ++ * error path involving "\\N" below. + */ +- len = MAX(len, 1); ++ len = MAX(MAX(len, 1), (int)strlen("\\N")); + textbuf = N_NEW(len + 1, char); + if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) { + agerr(AGERR, "bad label format %s\n", ND_label(n)->text); +-- +GitLab + diff --git a/graphviz.spec b/graphviz.spec index ae3c745..80dadc5 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -65,7 +65,7 @@ Name: graphviz Summary: Graph Visualization Tools Version: 2.44.0 -Release: 14%{?dist}.1 +Release: 14%{?dist}.2 License: EPL-1.0 URL: http://www.graphviz.org/ Source0: https://gitlab.com/%{name}/%{name}/-/archive/%{version}/%{name}-%{version}.tar.bz2 @@ -74,6 +74,7 @@ Patch0: graphviz-2.42.2-dotty-menu-fix.patch Patch1: graphviz-2.42.2-coverity-scan-fixes.patch # rhbz#1612692, https://gitlab.com/graphviz/graphviz/-/merge_requests/1367 Patch2: graphviz-2.44.0-man-fix.patch +Patch3: graphviz-2.44.0-CVE-2020-18032.patch BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel @@ -288,6 +289,7 @@ Various tcl packages (extensions) for the graphviz tools. %patch0 -p1 -b .dotty-menu-fix %patch1 -p1 -b .coverity-scan-fixes %patch2 -p1 -b .man-fix +%patch3 -p1 -b .CVE-2020-18032 # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -585,6 +587,11 @@ php --no-php-ini \ %{_mandir}/man3/*.3tcl* %changelog +* Wed May 26 2021 Jaroslav Škarvada - 2.44.0-14.2 +- Fixed buffer overflow in lib/common/shapes.c + Resolves: CVE-2020-18032 + Resolves: rhbz#1963395 + * Wed Sep 02 2020 Richard W.M. Jones - 2.44.0-14.1 - Bump release and rebuild.