|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4409 CVE : CVE-2008-4555 CWE : CWE-119 SecurityRisk : High  (About) Remote Exploit : No Local Exploit : Yes Victim interaction required : No Exploit Available : No Credit : ibm Published : 16.10.2008
Advisory Content : The graphviz team has just released a patch to a critical security issue I reported to them. The following is the advisory (also available at http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execut ion.html): Background ========== Graphviz is an open-source multi-platform graph visualization software. It takes a description of graphs in a simple text format (DOT language), and makes diagrams out of it in several useful formats (including SVG). Description =========== A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. parser.y (Graphviz 2.20.2): 34: static Agraph_t *Gstack[32]; 35: static int GSP; 45: static void push_subg(Agraph_t *g) 46: { 47: G = Gstack[GSP++] = g; 48: } As it can be seen, no bounds check is performed by the push_svg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_t *) elements. Impact/Severity =============== A malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz. Affected versions ================= Graphviz 2.20.2 is affected by this vulnerability. Older version are probably affected as well. Workaround =========== Version 2.20.3 has been released in order to address this issue. A bounds check has been added in order to avoid an overflow. parser.y (Graphviz 2.20.3): 34: #define GSTACK_SIZE 64 35: static Agraph_t *Gstack[GSTACK_SIZE]; 36: static int GSP; 45: 46: static void push_subg(Agraph_t *g) 47: { 48: if (GSP >= GSTACK_SIZE) { 49: agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1); 50: } 51: G = Gstack[GSP++] = g; 52: } Acknowledgements ================ I would like to thank the Graphviz team (Stephen C. North, John Ellson, Emden R. Gansner and others) for their quick responses and fix (it took them only a day since my disclosure to release a patch!). References : http://www.securityfocus.com/bid/31648
http://www.securityfocus.com/archive/1/archive/1/497150/100/0/threaded
http://secunia.com/advisories/32186
http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html
http://bugs.gentoo.org/show_bug.cgi?id=240636  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |