Fixed format string vulnerability

Resolves: rhbz#1167868

graphviz-2.34.0-format-string.patch

@@ -0,0 +1,13 @@
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index f01785a..e54a302 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -223,7 +223,7 @@ void yyerror(char *str)
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGWARN,agxbuse(&xb));
++	agerr(AGWARN, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */

graphviz.spec

@@ -52,7 +52,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.34.0
-Release:		9%{?dist}
+Release:		10%{?dist}
 Group:			Applications/Multimedia
 License:		EPL
 URL:			http://www.graphviz.org/
@@ -69,6 +69,8 @@ Patch4:			graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
 Patch5:			graphviz-2.34.0-CVE-2014-1236.patch
 # Backported fix for rhbz#1058323
 Patch6:			graphviz-2.34.0-lefty-xdot12.patch
+# Backported from upstream
+Patch7:			graphviz-2.34.0-format-string.patch
 BuildRoot:		%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@@ -278,6 +280,7 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235
 %patch5 -p1 -b .CVE-2014-1236
 %patch6 -p1 -b .left-xdot12
+%patch7 -p1 -b .format-string
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -566,6 +569,10 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Tue Nov 25 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-10
+- Fixed format string vulnerability
+  Resolves: rhbz#1167868
+
 * Mon Nov 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-9
 - Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement
   Resolves: rhbz#1058323