Fixed format string vulnerability

Resolves: rhbz#1167868
Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement
2014-11-25 17:53:17 +01:00 · 2014-11-11 13:37:57 +01:00
3 changed files with 61 additions and 7 deletions
--- a/graphviz-2.34.0-format-string.patch
+++ b/graphviz-2.34.0-format-string.patch
@ -0,0 +1,13 @@
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index f01785a..e54a302 100644
+--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
+@@ -223,7 +223,7 @@ void yyerror(char *str)
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-	agerr(AGWARN,agxbuse(&xb));
+	agerr(AGWARN, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
--- a/graphviz-2.34.0-lefty-xdot12.patch
+++ b/graphviz-2.34.0-lefty-xdot12.patch
@ -0,0 +1,25 @@
+@@ -, +, @@ 
+---
+ cmd/dotty/dotty_layout.lefty | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+--- a/cmd/dotty/dotty_layout.lefty	
+++ a/cmd/dotty/dotty_layout.lefty	
+@@ -5,7 +5,7 @@ dotty.grablserver = function (lserver) {
+     local fd;
+ 
+     if (~dotty.lservers[lserver] | tablesize (dotty.lservers[lserver]) == 0) {
+-        if (~((fd = openio ('pipe', lserver, 'r+', '%e -Txdot')) >= 0)) {
+        if (~((fd = openio ('pipe', lserver, 'r+', '%e -Txdot1.2')) >= 0)) {
+             dotty.message (0, concat ('cannot start ', lserver));
+             return null;
+         }
+@@ -438,6 +438,8 @@ dotty.protogt.unpackdraw = function (gt, attr) {
+             }
+         } else if (t[i] == 'I') {
+             i = i + 7;
+        } else if (t[i] == 't') {
+            i = i + 2;
+         } else {
+             dotty.message (0, concat ('draw language parser error: ', t[i]));
+             return null;
+-- 
--- a/graphviz.spec
+++ b/graphviz.spec
@ -52,7 +52,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.34.0
-Release:		8%{?dist}
+Release:		10%{?dist}
 Group:			Applications/Multimedia
 License:		EPL
 URL:			http://www.graphviz.org/
@ -67,6 +67,10 @@ Patch3:			graphviz-2.34.0-lefty-getaddrinfo.patch
 Patch4:			graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
 # Fix chknum overflow (CVE-2014-1236)
 Patch5:			graphviz-2.34.0-CVE-2014-1236.patch
+# Backported fix for rhbz#1058323
+Patch6:			graphviz-2.34.0-lefty-xdot12.patch
+# Backported from upstream
+Patch7:			graphviz-2.34.0-format-string.patch
 BuildRoot:		%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@ -98,7 +102,8 @@ BuildRequires:		gts-devel
 BuildRequires:		lasi-devel
 %endif
 BuildRequires:		urw-fonts, perl-ExtUtils-Embed, ghostscript-devel, librsvg2-devel
-Requires:		urw-fonts
+# ISO8859-1 fonts are required by lefty
+Requires:		urw-fonts, xorg-x11-fonts-ISO8859-1-100dpi
 # The vim is required by vimdot. The vim explicit dependency is not the best
 # solution, because gvim can be used instead, but there is nothing like
 # conditional dependencies in RPM, thus explicit dependency on vim shouldn't
@ -108,7 +113,7 @@ Requires(post):		/sbin/ldconfig
 Requires(postun):	/sbin/ldconfig

 %description
-A collection of tools for the manipulation and layout of graphs (as in nodes 
+A collection of tools for the manipulation and layout of graphs (as in nodes
 and edges, not as in barcharts).

 %package devel
@ -118,8 +123,8 @@ Requires:		%{name} = %{version}-%{release}, pkgconfig
 Requires:		%{name}-gd = %{version}-%{release}

 %description devel
-A collection of tools for the manipulation and layout of graphs (as in nodes 
-and edges, not as in barcharts). This package contains development files for 
+A collection of tools for the manipulation and layout of graphs (as in nodes
+and edges, not as in barcharts). This package contains development files for
 graphviz.

 %if %{DEVIL}
@ -149,8 +154,8 @@ Requires(post):		%{_bindir}/dot /sbin/ldconfig
 Requires(postun):	%{_bindir}/dot /sbin/ldconfig

 %description gd
-Graphviz plugin for renderers based on gd.  (Unless you absolutely have to use 
-GIF, you are recommended to use the PNG format instead because of the better 
+Graphviz plugin for renderers based on gd.  (Unless you absolutely have to use
+GIF, you are recommended to use the PNG format instead because of the better
 quality anti-aliased lines provided by the cairo+pango based renderer.)

 %package graphs
@ -274,6 +279,8 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch3 -p1 -b .lefty-getaddrinfo
 %patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235
 %patch5 -p1 -b .CVE-2014-1236
+%patch6 -p1 -b .left-xdot12
+%patch7 -p1 -b .format-string

 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -562,6 +569,15 @@ rm -rf %{buildroot}


 %changelog
+* Tue Nov 25 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-10
+- Fixed format string vulnerability
+  Resolves: rhbz#1167868
+
+* Mon Nov 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-9
+- Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement
+  Resolves: rhbz#1058323
+- Fixed spurious whitespaces
+
 * Thu Jan  9 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-8
 - Prevent possible buffer overflow in yyerror()
  Resolves: CVE-2014-1235
Author	SHA1	Message	Date
Jaroslav Škarvada	ccd1e1ab20	Fixed format string vulnerability Resolves: rhbz#1167868	2014-11-25 17:53:17 +01:00
Jaroslav Škarvada	f17e912aa0	Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement Resolves: rhbz#1058323 - Fixed spurious whitespaces	2014-11-11 13:37:57 +01:00