diff --git a/graphviz-2.34.0-format-string.patch b/graphviz-2.34.0-format-string.patch new file mode 100644 index 0000000..ad37d8b --- /dev/null +++ b/graphviz-2.34.0-format-string.patch @@ -0,0 +1,13 @@ +diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l +index f01785a..e54a302 100644 +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -223,7 +223,7 @@ void yyerror(char *str) + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGWARN,agxbuse(&xb)); ++ agerr(AGWARN, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff --git a/graphviz.spec b/graphviz.spec index a1b79fd..b77ffce 100644 --- a/graphviz.spec +++ b/graphviz.spec @@ -52,7 +52,7 @@ Name: graphviz Summary: Graph Visualization Tools Version: 2.34.0 -Release: 9%{?dist} +Release: 10%{?dist} Group: Applications/Multimedia License: EPL URL: http://www.graphviz.org/ @@ -69,6 +69,8 @@ Patch4: graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch Patch5: graphviz-2.34.0-CVE-2014-1236.patch # Backported fix for rhbz#1058323 Patch6: graphviz-2.34.0-lefty-xdot12.patch +# Backported from upstream +Patch7: graphviz-2.34.0-format-string.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig @@ -278,6 +280,7 @@ Various tcl packages (extensions) for the graphviz tools. %patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235 %patch5 -p1 -b .CVE-2014-1236 %patch6 -p1 -b .left-xdot12 +%patch7 -p1 -b .format-string # Attempt to fix rpmlint warnings about executable sources find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' @@ -566,6 +569,10 @@ rm -rf %{buildroot} %changelog +* Tue Nov 25 2014 Jaroslav Škarvada - 2.34.0-10 +- Fixed format string vulnerability + Resolves: rhbz#1167868 + * Mon Nov 10 2014 Jaroslav Škarvada - 2.34.0-9 - Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement Resolves: rhbz#1058323