Compare commits
2 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
ccd1e1ab20 | ||
|
f17e912aa0 |
13
graphviz-2.34.0-format-string.patch
Normal file
13
graphviz-2.34.0-format-string.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
|
||||
index f01785a..e54a302 100644
|
||||
--- a/lib/cgraph/scan.l
|
||||
+++ b/lib/cgraph/scan.l
|
||||
@@ -223,7 +223,7 @@ void yyerror(char *str)
|
||||
agxbput (&xb, buf);
|
||||
agxbput (&xb, yytext);
|
||||
agxbput (&xb,"'\n");
|
||||
- agerr(AGWARN,agxbuse(&xb));
|
||||
+ agerr(AGWARN, "%s", agxbuse(&xb));
|
||||
agxbfree(&xb);
|
||||
}
|
||||
/* must be here to see flex's macro defns */
|
25
graphviz-2.34.0-lefty-xdot12.patch
Normal file
25
graphviz-2.34.0-lefty-xdot12.patch
Normal file
@ -0,0 +1,25 @@
|
||||
@@ -, +, @@
|
||||
---
|
||||
cmd/dotty/dotty_layout.lefty | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
--- a/cmd/dotty/dotty_layout.lefty
|
||||
+++ a/cmd/dotty/dotty_layout.lefty
|
||||
@@ -5,7 +5,7 @@ dotty.grablserver = function (lserver) {
|
||||
local fd;
|
||||
|
||||
if (~dotty.lservers[lserver] | tablesize (dotty.lservers[lserver]) == 0) {
|
||||
- if (~((fd = openio ('pipe', lserver, 'r+', '%e -Txdot')) >= 0)) {
|
||||
+ if (~((fd = openio ('pipe', lserver, 'r+', '%e -Txdot1.2')) >= 0)) {
|
||||
dotty.message (0, concat ('cannot start ', lserver));
|
||||
return null;
|
||||
}
|
||||
@@ -438,6 +438,8 @@ dotty.protogt.unpackdraw = function (gt, attr) {
|
||||
}
|
||||
} else if (t[i] == 'I') {
|
||||
i = i + 7;
|
||||
+ } else if (t[i] == 't') {
|
||||
+ i = i + 2;
|
||||
} else {
|
||||
dotty.message (0, concat ('draw language parser error: ', t[i]));
|
||||
return null;
|
||||
--
|
@ -52,7 +52,7 @@
|
||||
Name: graphviz
|
||||
Summary: Graph Visualization Tools
|
||||
Version: 2.34.0
|
||||
Release: 8%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Group: Applications/Multimedia
|
||||
License: EPL
|
||||
URL: http://www.graphviz.org/
|
||||
@ -67,6 +67,10 @@ Patch3: graphviz-2.34.0-lefty-getaddrinfo.patch
|
||||
Patch4: graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
|
||||
# Fix chknum overflow (CVE-2014-1236)
|
||||
Patch5: graphviz-2.34.0-CVE-2014-1236.patch
|
||||
# Backported fix for rhbz#1058323
|
||||
Patch6: graphviz-2.34.0-lefty-xdot12.patch
|
||||
# Backported from upstream
|
||||
Patch7: graphviz-2.34.0-format-string.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
|
||||
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
|
||||
@ -98,7 +102,8 @@ BuildRequires: gts-devel
|
||||
BuildRequires: lasi-devel
|
||||
%endif
|
||||
BuildRequires: urw-fonts, perl-ExtUtils-Embed, ghostscript-devel, librsvg2-devel
|
||||
Requires: urw-fonts
|
||||
# ISO8859-1 fonts are required by lefty
|
||||
Requires: urw-fonts, xorg-x11-fonts-ISO8859-1-100dpi
|
||||
# The vim is required by vimdot. The vim explicit dependency is not the best
|
||||
# solution, because gvim can be used instead, but there is nothing like
|
||||
# conditional dependencies in RPM, thus explicit dependency on vim shouldn't
|
||||
@ -274,6 +279,8 @@ Various tcl packages (extensions) for the graphviz tools.
|
||||
%patch3 -p1 -b .lefty-getaddrinfo
|
||||
%patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
||||
%patch5 -p1 -b .CVE-2014-1236
|
||||
%patch6 -p1 -b .left-xdot12
|
||||
%patch7 -p1 -b .format-string
|
||||
|
||||
# Attempt to fix rpmlint warnings about executable sources
|
||||
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
|
||||
@ -562,6 +569,15 @@ rm -rf %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Nov 25 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-10
|
||||
- Fixed format string vulnerability
|
||||
Resolves: rhbz#1167868
|
||||
|
||||
* Mon Nov 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-9
|
||||
- Lefty now uses xdot-1.2, added ISO8859-1 fonts as requirement
|
||||
Resolves: rhbz#1058323
|
||||
- Fixed spurious whitespaces
|
||||
|
||||
* Thu Jan 9 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-8
|
||||
- Prevent possible buffer overflow in yyerror()
|
||||
Resolves: CVE-2014-1235
|
||||
|
Loading…
Reference in New Issue
Block a user