Updated CVE-2019-11023 patch

Related: CVE-2019-11023

graphviz-2.40.1-CVE-2019-11023.patch

@@ -0,0 +1,77 @@
+diff --git a/cmd/tools/graphml2gv.c b/cmd/tools/graphml2gv.c
+index 7b8214b..0910d99 100644
+--- a/cmd/tools/graphml2gv.c
++++ b/cmd/tools/graphml2gv.c
+@@ -477,8 +477,10 @@ startElementHandler(void *userData, const char *name, const char **atts)
+ 	if (pos > 0) {
+ 	    const char *attrname;
+ 	    attrname = atts[pos];
+-
+-	    bind_node(attrname);
++            if (G == 0)
++                fprintf(stderr,"node %s outside graph, ignored\n",attrname);
++	    else
++                bind_node(attrname);
+ 
+ 	    pushString(&ud->elements, attrname);
+ 	}
+@@ -504,21 +506,25 @@ startElementHandler(void *userData, const char *name, const char **atts)
+ 	if (tname)
+ 	    head = tname;
+ 
+-	bind_edge(tail, head);
++        if (G == 0)
++            fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
++        else {
++            bind_edge(tail, head);
+ 
+-	t = AGTAIL(E);
+-	tname = agnameof(t);
++            t = AGTAIL(E);
++	    tname = agnameof(t);
+ 
+-	if (strcmp(tname, tail) == 0) {
+-	    ud->edgeinverted = FALSE;
+-	} else if (strcmp(tname, head) == 0) {
+-	    ud->edgeinverted = TRUE;
+-	}
++	    if (strcmp(tname, tail) == 0) {
++	        ud->edgeinverted = FALSE;
++	    } else if (strcmp(tname, head) == 0) {
++	        ud->edgeinverted = TRUE;
++	    }
+ 
+-	pos = get_xml_attr("id", atts);
+-	if (pos > 0) {
+-	    setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
+-	}
++	    pos = get_xml_attr("id", atts);
++	    if (pos > 0) {
++	        setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
++	    }
++        }
+     } else {
+ 	/* must be some extension */
+ 	fprintf(stderr,
+@@ -539,7 +545,7 @@ static void endElementHandler(void *userData, const char *name)
+ 	char *ele_name = topString(ud->elements);
+ 	if (ud->closedElementType == TAG_GRAPH) {
+ 	    Agnode_t *node = agnode(root, ele_name, 0);
+-	    agdelete(root, node);
++	    if (node) agdelete(root, node);
+ 	}
+ 	popString(&ud->elements);
+ 	Current_class = TAG_GRAPH;
+diff --git a/lib/cgraph/obj.c b/lib/cgraph/obj.c
+index 7b1c8c1..709774e 100644
+--- a/lib/cgraph/obj.c
++++ b/lib/cgraph/obj.c
+@@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack)
+ 
+ Agraph_t *agroot(void* obj)
+ {
++    // fixes CVE-2019-11023 by moving the problem to the caller :-)
++    if (obj == 0) return NILgraph;
+     switch (AGTYPE(obj)) {
+     case AGINEDGE:
+     case AGOUTEDGE:

graphviz.spec

@@ -61,7 +61,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.40.1
-Release:		36%{?dist}
+Release:		39%{?dist}
 License:		EPL
 URL:			http://www.graphviz.org/
 # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371
@@ -72,6 +72,7 @@ Patch1:			graphviz-2.40.1-python3.patch
 Patch2:			graphviz-2.40.1-CVE-2018-10196.patch
 # rhbz#1505230
 Patch3:			graphviz-2.40.1-dotty-menu-fix.patch
+Patch5:			graphviz-2.40.1-CVE-2019-11023.patch
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
 BuildRequires:		fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@@ -287,6 +288,7 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch1 -p1 -b .python3
 %patch2 -p1 -b .CVE-2018-10196
 %patch3 -p1 -b .dotty-menu-fix
+%patch5 -p1 -b .CVE-2019-11023
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -438,7 +440,7 @@ php --no-php-ini \
 
 %post
 /sbin/ldconfig
-%{_bindir}/dot -c
+%{_bindir}/dot -c 2>/dev/null || :
 
 %postun
 /sbin/ldconfig
@@ -602,6 +604,17 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*
 
 %changelog
+* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-39
+- Updated CVE-2019-11023 patch
+  Related: CVE-2019-11023
+
+* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-38
+- Fixed null pointer dereference in function agroot()
+  Resolves: CVE-2019-11023
+
+* Wed Sep 26 2018 Kevin Fenzi <kevin@scrye.com> - 2.40.1-37
+- Don't fail on post scriptlet failures.
+
 * Wed Jul 18 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-36
 - Fixed ghostscript requirements