Fixed format string vulnerability
Resolves: rhbz#1167868
This commit is contained in:
parent
da9ec35313
commit
d4689ff480
13
graphviz-2.30.1-format-string.patch
Normal file
13
graphviz-2.30.1-format-string.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
|
||||
index 94e4c17..2255b59 100644
|
||||
--- a/lib/cgraph/scan.l
|
||||
+++ b/lib/cgraph/scan.l
|
||||
@@ -224,7 +224,7 @@ void yyerror(char *str)
|
||||
agxbput (&xb, buf);
|
||||
agxbput (&xb, yytext);
|
||||
agxbput (&xb,"'\n");
|
||||
- agerr(AGWARN,agxbuse(&xb));
|
||||
+ agerr(AGWARN, "%s", agxbuse(&xb));
|
||||
agxbfree(&xb);
|
||||
}
|
||||
/* must be here to see flex's macro defns */
|
@ -51,7 +51,7 @@
|
||||
Name: graphviz
|
||||
Summary: Graph Visualization Tools
|
||||
Version: 2.30.1
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Group: Applications/Multimedia
|
||||
License: EPL
|
||||
URL: http://www.graphviz.org/
|
||||
@ -79,6 +79,8 @@ Patch11: graphviz-2.30.1-man-fix.patch
|
||||
Patch12: graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
|
||||
# Fix chknum overflow (CVE-2014-1236)
|
||||
Patch13: graphviz-2.30.1-CVE-2014-1236.patch
|
||||
# Backported from upstream
|
||||
Patch14: graphviz-2.30.1-format-string.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
|
||||
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
|
||||
@ -288,6 +290,7 @@ Various tcl packages (extensions) for the graphviz tools.
|
||||
%patch11 -p1 -b .man-fix
|
||||
%patch12 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
||||
%patch13 -p1 -b .CVE-2014-1236
|
||||
%patch14 -p1 -b .format-string
|
||||
|
||||
# Attempt to fix rpmlint warnings about executable sources
|
||||
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
|
||||
@ -564,6 +567,10 @@ rm -rf %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Nov 25 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.30.1-13
|
||||
- Fixed format string vulnerability
|
||||
Resolves: rhbz#1167868
|
||||
|
||||
* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.30.1-12
|
||||
- Prevent possible buffer overflow in yyerror()
|
||||
Resolves: CVE-2014-1235
|
||||
|
Loading…
Reference in New Issue
Block a user