Fixed buffer overflow in lib/common/shapes.c

Resolves: CVE-2020-18032
  Resolves: rhbz#1963395

graphviz-2.44.0-CVE-2020-18032.patch

@@ -0,0 +1,40 @@
+From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Sat, 25 Jul 2020 19:31:01 -0700
+Subject: [PATCH] fix: out-of-bounds write on invalid label
+
+When the label for a node cannot be parsed (due to it being malformed), it falls
+back on the symbol name of the node itself. I.e. the default label the node
+would have had if it had no label attribute at all. However, this is applied by
+dynamically altering the node's label to "\N", a shortcut for the symbol name of
+the node. All of this is fine, however if the hand written label itself is
+shorter than the literal string "\N", not enough memory would have been
+allocated to write "\N" into the label text.
+
+Here we account for the possibility of error during label parsing, and assume
+that the label text may need to be overwritten with "\N" after the fact. Fixes
+issue #1700.
+---
+ lib/common/shapes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+     reclblp = ND_label(n)->text;
+     len = strlen(reclblp);
+     /* For some forgotten reason, an empty label is parsed into a space, so
+-     * we need at least two bytes in textbuf.
++     * we need at least two bytes in textbuf, as well as accounting for the
++     * error path involving "\\N" below.
+      */
+-    len = MAX(len, 1);
++    len = MAX(MAX(len, 1), (int)strlen("\\N"));
+     textbuf = N_NEW(len + 1, char);
+     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ 	agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
+-- 
+GitLab
+

graphviz.spec

@@ -65,7 +65,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.44.0
-Release:		14%{?dist}
+Release:		14%{?dist}.2
 License:		EPL-1.0
 URL:			http://www.graphviz.org/
 Source0:		https://gitlab.com/%{name}/%{name}/-/archive/%{version}/%{name}-%{version}.tar.bz2
@@ -74,6 +74,7 @@ Patch0:			graphviz-2.42.2-dotty-menu-fix.patch
 Patch1:			graphviz-2.42.2-coverity-scan-fixes.patch
 # rhbz#1612692, https://gitlab.com/graphviz/graphviz/-/merge_requests/1367
 Patch2:			graphviz-2.44.0-man-fix.patch
+Patch3:			graphviz-2.44.0-CVE-2020-18032.patch
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed
 BuildRequires:		fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@@ -288,6 +289,7 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch0 -p1 -b .dotty-menu-fix
 %patch1 -p1 -b .coverity-scan-fixes
 %patch2 -p1 -b .man-fix
+%patch3 -p1 -b .CVE-2020-18032
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -585,6 +587,14 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*
 
 %changelog
+* Wed May 26 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 2.44.0-14.2
+- Fixed buffer overflow in lib/common/shapes.c
+  Resolves: CVE-2020-18032
+  Resolves: rhbz#1963395
+
+* Wed Sep 02 2020 Richard W.M. Jones <rjones@redhat.com> - 2.44.0-14.1
+- Bump release and rebuild.
+
 * Tue Sep 01 2020 Richard W.M. Jones <rjones@redhat.com> - 2.44.0-14
 - OCaml 4.11.1 rebuild