Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

graphviz: format string vulnerability (CVE-2014-9157)

Related Vulnerabilities: CVE-2014-9157  

Source

Debian Bug report logs - #772648
graphviz: format string vulnerability (CVE-2014-9157)

version graph

Package: graphviz; Maintainer for graphviz is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for graphviz is src:graphviz (PTS, buildd, popcon).

Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>

Date: Tue, 9 Dec 2014 14:51:02 UTC

Severity: serious

Tags: fixed-upstream, patch, security, upstream

Found in versions graphviz/2.38.0-6, graphviz/2.26.3-14

Fixed in versions graphviz/2.38.0-7, graphviz/2.26.3-5+squeeze3, graphviz/2.26.3-14+deb7u2

Done: Thorsten Alteholz <debian@alteholz.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#772648; Package graphviz. (Tue, 09 Dec 2014 14:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 09 Dec 2014 14:51:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: graphviz: format string vulnerability (CVE-2014-9157)
Date: Tue, 09 Dec 2014 09:48:04 -0500
[Message part 1 (text/plain, inline)]
Package: graphviz
Version: 2.38.0-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmp5q_TKj/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Format string vulnerability may allow attackers to
    cause a denial of service or possibly execute code.
    - debian/patches/CVE-2014-9157.patch: Fix format string vulnerability in
      lib/cgraph/scan.l yyerror() routine.
    - CVE-2014-9157


Thanks for considering the patch.


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[graphviz_2.38.0-6ubuntu1.debdiff (text/x-diff, attachment)]

Marked as found in versions graphviz/2.26.3-14. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Dec 2014 06:12:05 GMT) (full text, mbox, link).

Added tag(s) upstream, security, and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Dec 2014 06:15:08 GMT) (full text, mbox, link).

Owner recorded as Maxime Chatelle <xakz@rxsoft.eu>. Request was from Maxime Chatelle <xakz@rxsoft.eu> to control@bugs.debian.org. (Wed, 10 Dec 2014 07:03:14 GMT) (full text, mbox, link).

Severity set to 'serious' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Dec 2014 07:51:24 GMT) (full text, mbox, link).

Removed annotation that Bug was owned by Maxime Chatelle <xakz@rxsoft.eu>. Request was from Maxime Chatelle <xakz@rxsoft.eu> to control@bugs.debian.org. (Wed, 10 Dec 2014 08:15:04 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Dec 2014 08:45:08 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 10 Dec 2014 16:24:05 GMT) (full text, mbox, link).

Notification sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer. (Wed, 10 Dec 2014 16:24:05 GMT) (full text, mbox, link).

Message #22 received at 772648-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 772648-close@bugs.debian.org
Subject: Bug#772648: fixed in graphviz 2.38.0-7
Date: Wed, 10 Dec 2014 16:20:22 +0000
Source: graphviz
Source-Version: 2.38.0-7

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Dec 2014 07:21:52 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-perl libgv-php5 libgv-python libgv-ruby libgv-tcl libcgraph6 libcdt5 libpathplan4 libgvc6 libgvc6-plugins-gtk libgvpr2 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all amd64
Version: 2.38.0-7
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt5    - rich set of graph drawing tools - cdt library
 libcgraph6 - rich set of graph drawing tools - cgraph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - PHP5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc6    - rich set of graph drawing tools - gvc library
 libgvc6-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr2   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes:
 graphviz (2.38.0-7) unstable; urgency=high
 .
   * QA upload.
   * Add CVE-2014-9157.patch.
     Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
     which may allow attackers to cause a denial of service or possibly
     execute code.
     Thanks to Marc Deslauriers <marc.deslauriers@ubuntu.com> (Closes: #772648)
Checksums-Sha1:
 87634a814ed50be84162a6eac6680557c3b46eab 3266 graphviz_2.38.0-7.dsc
 474bc72dbfe825de9686c88fcad9ab5083ad98e9 44120 graphviz_2.38.0-7.debian.tar.xz
 3bf11ea7a149d25ca177b17b0506930c92fcc62a 3617592 graphviz-doc_2.38.0-7_all.deb
 c06b69d006c39aa4b2402c7c301ecc09449acee0 51272 graphviz-dev_2.38.0-7_all.deb
Checksums-Sha256:
 62883ac0dd3915c6cf67cda5cadd8c6423314c004bd791b781618d8743674bdc 3266 graphviz_2.38.0-7.dsc
 312ab8215fbe1800664675cfc284aecfeff3ce699407523b5bdefee64cf1a53c 44120 graphviz_2.38.0-7.debian.tar.xz
 5e25a05d8833795d1f1757b6c275c37e3c7fa70e8e3786dfac2862adb66156e6 3617592 graphviz-doc_2.38.0-7_all.deb
 6a375986810b4086356a3f1a14096c8ec3452a5b9882bce04ef3339b01bf3af9 51272 graphviz-dev_2.38.0-7_all.deb
Files:
 4d093933d02b89ec55fba9775972e62c 3266 graphics optional graphviz_2.38.0-7.dsc
 5cbcff92169d682471cdfdf58d215098 44120 graphics optional graphviz_2.38.0-7.debian.tar.xz
 b7f4f810365af31702d5582331fdfeb9 3617592 doc optional graphviz-doc_2.38.0-7_all.deb
 dfb8a0960673cb5703c64fa55c8c4fd3 51272 oldlibs extra graphviz-dev_2.38.0-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUiGjAAAoJEAVMuPMTQ89Egq4P/0ZINPYO96N/wMiYT80l9jb0
W49YgK+HnL6hHfeLZ39f67ch4uaeIPJqBkLIsHidsA9o9LKukdueT4U+75wuLEUX
NJpRP6EBCtUtLcKH6so2L4CPvAH5tW3dzHnm5c/2m8h6f+JZTyjwTNS7dC2gmXH2
8XO/dPAd5O3go+tptl5t3insPi73VZup5HuqeoM15gOgkLo3qo4Mt3UH4g5R9zv5
DAGEjcv1dCa/jRcGHAr8OH+T06SEuSpHZuA+VxTvQ6P/IJnApPatmb4LIXJZ4tjs
cj3q87Uqp5jA6ef04gDB2fOKQWpYKRVdgT9mIoTCbJow8F2Lobfq7q6BMQ42hoc3
idTKzeSMMmrV5TuIbPH23qHt2+pKd514x9bCMPmKgzSI7AITw1HyRn2yDup+mdmo
brAGjMBc0nYdQymABPcjkzvoORGtXcApbNKfmPpFs+MOH1++BJ18En/DJi0XtsMl
1xPdOnELVq51JzzqqxpRQOepUqAN402hYhhf1j9bugBlSWusVdjuzf8fGm7/hGVt
tKLYGwoUGGA5Mfd/RLrY6edS9NY6hMvXqlplCW83ztUs71jA9+5j6AlgnKvvQ4i3
U05ngRest4j6INDazGscmosMao6UWqxse50VdrVn0BNQljj/DzcAH5p6ftun9MSf
jqN1tDKwRS8Z8iFCtc51
=lamf
-----END PGP SIGNATURE-----

Reply sent to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility. (Thu, 11 Dec 2014 21:24:05 GMT) (full text, mbox, link).

Notification sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer. (Thu, 11 Dec 2014 21:24:05 GMT) (full text, mbox, link).

Message #27 received at 772648-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>
To: 772648-close@bugs.debian.org
Subject: Bug#772648: fixed in graphviz 2.26.3-5+squeeze3
Date: Thu, 11 Dec 2014 21:21:23 +0000
Source: graphviz
Source-Version: 2.26.3-5+squeeze3

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Dec 2014 19:34:32 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-ocaml libgv-perl libgv-php5 libgv-python libgv-ruby libgv-tcl libgraph4 libcgraph5 libcdt4 libpathplan4 libgvc5 libgvc5-plugins-gtk libgvpr1 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all i386
Version: 2.26.3-5+squeeze3
Distribution: squeeze-lts
Urgency: high
Maintainer: David Claughton <dave@eclecticdave.com>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt4    - rich set of graph drawing tools - cdt library
 libcgraph5 - rich set of graph drawing tools - cgraph library
 libgraph4  - rich set of graph drawing tools - graph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-ocaml - OCaml bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - Php5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc5    - rich set of graph drawing tools - gvc library
 libgvc5-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr1   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes: 
 graphviz (2.26.3-5+squeeze3) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Add CVE-2014-9157.patch patch (Closes: #772648)
      Format string vulnerability in the yyerror function in
      lib/cgraph/scan.l in Graphviz allows remote attackers to
      have unspecified impact via format string specifiers in
      unknown vector, which are not properly handled in an
      error string.
Checksums-Sha1: 
 a707066acb990b15f60dffc82b9e42f5db3cbff5 2825 graphviz_2.26.3-5+squeeze3.dsc
 04503ac5a9eaa579859f0d017811fa245717edec 17092429 graphviz_2.26.3.orig.tar.gz
 d5b216c0bdeeeaa7cd04e0a9607ad2a9058d4def 51424 graphviz_2.26.3-5+squeeze3.debian.tar.gz
 16cb609adb329a60bb681d7676cbc542a317b893 2586184 graphviz-doc_2.26.3-5+squeeze3_all.deb
 fe50c9beed44d8fe0fb33ab3dbea59e75cc57d8b 48560 graphviz-dev_2.26.3-5+squeeze3_all.deb
 43fefc36b651c546bb735af10f79976e66541827 343712 graphviz_2.26.3-5+squeeze3_i386.deb
 ff9ab1092a2a961941f0309d6707393b6a3e3d9d 71238 libgv-guile_2.26.3-5+squeeze3_i386.deb
 e2b1a060294cb3746b844981dc16bcb4749e8805 79784 libgv-lua_2.26.3-5+squeeze3_i386.deb
 830591c79095b860a343532a935d7bc85647600e 77922 libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 efd38333c38a47e9978b2c5b9cd08059065172fe 96876 libgv-perl_2.26.3-5+squeeze3_i386.deb
 687434fb3f8fb230e5f8a563b88c1845b9340616 79318 libgv-php5_2.26.3-5+squeeze3_i386.deb
 69502e981915979f3a3a1295f95025de55587412 111608 libgv-python_2.26.3-5+squeeze3_i386.deb
 cb6e1f6a5b4adef78aaa4cbad75fa58380aee464 74700 libgv-ruby_2.26.3-5+squeeze3_i386.deb
 0ec61a2ac1ae83fe94217d8c02fe1ac2bd5aa075 615982 libgv-tcl_2.26.3-5+squeeze3_i386.deb
 3c7444dc14747c6a0206157578dbeefcd050eec6 70572 libgraph4_2.26.3-5+squeeze3_i386.deb
 fbe1742c68519a9e47434b456294c1f47cb25c08 81704 libcgraph5_2.26.3-5+squeeze3_i386.deb
 2488091c2ff412f6c7db246880c6bb8bfa3692b3 58330 libcdt4_2.26.3-5+squeeze3_i386.deb
 2000bcb0dd15f9be37843f9bbbd201075e69f6a5 62876 libpathplan4_2.26.3-5+squeeze3_i386.deb
 437f09fb5bc17d3cd766c166e31efef97c53d680 502638 libgvc5_2.26.3-5+squeeze3_i386.deb
 83a632a1f0dd4b55a87c5454638522c254d10c8c 60660 libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 f6c732869403e042d5f5d092c1dd2df63a1a59ab 234464 libgvpr1_2.26.3-5+squeeze3_i386.deb
 4d0bb561c0dd4277ebfd35d85f8d3d5c11c08d23 53258 libxdot4_2.26.3-5+squeeze3_i386.deb
 b1df594b1e1d383c6afbf6957597a77a313a6dc0 122170 libgraphviz-dev_2.26.3-5+squeeze3_i386.deb
Checksums-Sha256: 
 3377493430a5749eceb16af4dd87faeef763835acb98edc57c73e412c9183cd0 2825 graphviz_2.26.3-5+squeeze3.dsc
 f410996e69b1095237c2128deae5fc7b6ce99055b095271abb14447bc2f37fa1 17092429 graphviz_2.26.3.orig.tar.gz
 196d54f56e100b1c6c2cc461471b065c7cd2658d791b0c0c4d285a0799e4e963 51424 graphviz_2.26.3-5+squeeze3.debian.tar.gz
 3ddd424e96069eb26efb50004b7d69aa937ac6edf53832a208afca45deb69c8d 2586184 graphviz-doc_2.26.3-5+squeeze3_all.deb
 ceec6f2a0a74c6ccbea4ca5b95c20cc11af6ca8a54fbb1ea9a21b4d754db8d21 48560 graphviz-dev_2.26.3-5+squeeze3_all.deb
 09f1ae7c587865a99f782b9d537678d6258707ce6bb8e79725dbc68fa2e0d37a 343712 graphviz_2.26.3-5+squeeze3_i386.deb
 9fef889056bd132d7c58ab0ad1ec0dd64ee64005d5223b586064ddebfe7389eb 71238 libgv-guile_2.26.3-5+squeeze3_i386.deb
 24015c9031edd167e3ab77f41ae7500bddfa92bc93d4c9fad4c5f0018e85ddd1 79784 libgv-lua_2.26.3-5+squeeze3_i386.deb
 17013179ea142dd249590c6efc5dd79cea1e540ef8fef2764e3bdd3fbe4f3fd8 77922 libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 5cd3f0a4b173b65433fb4211be3f6f6eaed549dd056a0436c811b3197a7430a6 96876 libgv-perl_2.26.3-5+squeeze3_i386.deb
 7efe9bfd10006b8d929f75796ced8a58cc5a39ebdfea9d7a6635774d5018d3a4 79318 libgv-php5_2.26.3-5+squeeze3_i386.deb
 4cb02b04c7e40414313eca37a62568b794b848924391e96c119ede09c55c9eec 111608 libgv-python_2.26.3-5+squeeze3_i386.deb
 aa12ea2d6d7e211499ce4fa9209e70a849d812b468052e7a2878d0d39f6dc4e3 74700 libgv-ruby_2.26.3-5+squeeze3_i386.deb
 0f3cbbee4e7135c0ed566a07f96219695174f0d2a3ff2cb85e78481de584777f 615982 libgv-tcl_2.26.3-5+squeeze3_i386.deb
 32258ed7a739c6effa1a7806b49599e4403e10e06408504845d6a7b5f8877067 70572 libgraph4_2.26.3-5+squeeze3_i386.deb
 25476a8760c4dc070691415a21d5d167cb9bf9d3e8355453b25c469a858f6c53 81704 libcgraph5_2.26.3-5+squeeze3_i386.deb
 8cf31d52b13318db8be1f6f08c682a47f10f011a9a305347df9ea06f8a6502ea 58330 libcdt4_2.26.3-5+squeeze3_i386.deb
 f6d03ab4835e4fbf2e0ffbab221e6eeb423dc0976136d614e6ce41cbc0eebd2c 62876 libpathplan4_2.26.3-5+squeeze3_i386.deb
 fdaa39d205e49b2b6631fa514dfcef23cf63db1b1e3b7d5cf531590e47eb50e3 502638 libgvc5_2.26.3-5+squeeze3_i386.deb
 5e168853f0f930b45f55fb2372596e2ba5511381ca8cf78ac58d2745039d035d 60660 libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 41e0467c1b79a8f2e8ce62ea2de3e898c07aa18870bdcb2b025ed69167275d77 234464 libgvpr1_2.26.3-5+squeeze3_i386.deb
 267607e183f2ae970eec22faa2d59509b4854f0dce48d74a76f49da7bacff474 53258 libxdot4_2.26.3-5+squeeze3_i386.deb
 de3328afac0074134e45434ab0b0f46dd74c719ee0ad69f019facdde242aafe6 122170 libgraphviz-dev_2.26.3-5+squeeze3_i386.deb
Files: 
 da63a529b1efe124bc753ecff3fdeb39 2825 graphics optional graphviz_2.26.3-5+squeeze3.dsc
 6f45946fa622770c45609778c0a982ee 17092429 graphics optional graphviz_2.26.3.orig.tar.gz
 f9ddb4db402b415313817aa583949f1b 51424 graphics optional graphviz_2.26.3-5+squeeze3.debian.tar.gz
 8328b3607dcfa206762e0047369fe3b7 2586184 doc optional graphviz-doc_2.26.3-5+squeeze3_all.deb
 a3a32d0ae4ba8d4250156aa8467122e5 48560 devel optional graphviz-dev_2.26.3-5+squeeze3_all.deb
 57f37ac195a2c7e7d387ca9d9c6b0d59 343712 graphics optional graphviz_2.26.3-5+squeeze3_i386.deb
 07234b77636be3d9c2a00570d6a38ed3 71238 interpreters optional libgv-guile_2.26.3-5+squeeze3_i386.deb
 b412ed2fd03ee495fd44d12330e90265 79784 interpreters optional libgv-lua_2.26.3-5+squeeze3_i386.deb
 3d3692dd201f5b82101628d06c8b5fd0 77922 ocaml optional libgv-ocaml_2.26.3-5+squeeze3_i386.deb
 ceac5136e4e524830d2081588d77fb0f 96876 perl optional libgv-perl_2.26.3-5+squeeze3_i386.deb
 307db06ab3ad250fc8d3b83e4cbc1872 79318 php optional libgv-php5_2.26.3-5+squeeze3_i386.deb
 c69d2690b2249de25fb2ae042caaaba0 111608 python optional libgv-python_2.26.3-5+squeeze3_i386.deb
 af651b44cd4dee88c1ab367a4c185338 74700 ruby optional libgv-ruby_2.26.3-5+squeeze3_i386.deb
 2db1b03f036392c0df366ef7fe45fe67 615982 interpreters optional libgv-tcl_2.26.3-5+squeeze3_i386.deb
 561040e0b58fbf05f2ed7b62a6aaaa13 70572 libs optional libgraph4_2.26.3-5+squeeze3_i386.deb
 8603639b439997fa1827612745281c0c 81704 libs optional libcgraph5_2.26.3-5+squeeze3_i386.deb
 8b54c0d2c441febbde5079e19f3d7a94 58330 libs optional libcdt4_2.26.3-5+squeeze3_i386.deb
 31634e45191b44bcc42eb54b40d41af2 62876 libs optional libpathplan4_2.26.3-5+squeeze3_i386.deb
 d38fc4851902ac5a802b62d4ad93447f 502638 libs optional libgvc5_2.26.3-5+squeeze3_i386.deb
 3a712552ffbd2a8e7d0ea37ea24bcbee 60660 libs optional libgvc5-plugins-gtk_2.26.3-5+squeeze3_i386.deb
 fa4cfb37925cd45f57ac474e5c58eabb 234464 libs optional libgvpr1_2.26.3-5+squeeze3_i386.deb
 452cca3ea258be52b649a8865aeaee3c 53258 libs optional libxdot4_2.26.3-5+squeeze3_i386.deb
 7e52bb4a63159f73ea09f07a34c7c25e 122170 libdevel optional libgraphviz-dev_2.26.3-5+squeeze3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUigVyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH3xMP/0tJWp8oG7TN9Qbx/Qz3jXhu
5URDfgUCbU+IAS+4f3MgVpHryYMDwpG30W0fR4iAhDG/R3my2ILllCxwNbQzB2VY
/UcFODDog0m62xLAz2eHHJzS1z9bNLwVj5QMRHkLEJqhzRm5wyKgNrkbFNB35Gqz
VUogu+gDMkagMb8iHjLlLnnkP2f5fD1191wKITHgxIDA5czlPd7oiiXpiP2o/uvX
bsCt5/vf+QX3dh4qK6R9Zi3XRP4JHA2bzkpQC+qUmONLAnW2BQeBpB3P4L/ZW2u1
0qAdB1CUNgJ3O08EJTp2ZFmJq6pBGpgVqXnv/pCZvc9W1Yrefzc8qWRld4P9S7tu
1NHjWYVrygwCowHVr7LLs0zDaPtK10kjhmL7VWKI5kcHX2BFg03KB5RuEN5DheWt
SucM6PCg0LKOSsvLrojEjlTl86W5Y0KXk0DErOuZ52C5pF4jzBP9uJNyyB0RZyBc
saHH1ULIBn3rPMf/rjqs/a9+bPp4zdhOZnwKi8BG+LWsmSpBjl0u4VUhLb3OsfiJ
d18+dxJgsZR7SInpW/MkebPaygi3D51eEq3Pm+pdxMbtYG+5ctv4g9YWEfbNyWf0
QGZqbBMbkSbER5wtcIqmi5CGVAPpI8CuFQSBi4SLNCyzMIJOecuu/xWeDFy7f0BQ
otoA3OUVOmVntnorh72A
=s64r
-----END PGP SIGNATURE-----

Reply sent to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility. (Fri, 12 Dec 2014 09:33:31 GMT) (full text, mbox, link).

Notification sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer. (Fri, 12 Dec 2014 09:33:31 GMT) (full text, mbox, link).

Message #32 received at 772648-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>
To: 772648-close@bugs.debian.org
Subject: Bug#772648: fixed in graphviz 2.26.3-14+deb7u2
Date: Fri, 12 Dec 2014 09:32:57 +0000
Source: graphviz
Source-Version: 2.26.3-14+deb7u2

We believe that the bug you reported is fixed in the latest version of
graphviz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated graphviz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Dec 2014 17:34:32 +0100
Source: graphviz
Binary: graphviz libgv-guile libgv-lua libgv-perl libgv-php5 libgv-python libgv-ruby libgv-tcl libgraph4 libcgraph5 libcdt4 libpathplan4 libgvc5 libgvc5-plugins-gtk libgvpr1 libxdot4 libgraphviz-dev graphviz-doc graphviz-dev
Architecture: source all amd64
Version: 2.26.3-14+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: David Claughton <dave@eclecticdave.com>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 graphviz   - rich set of graph drawing tools
 graphviz-dev - transitional package for graphviz-dev rename
 graphviz-doc - additional documentation for graphviz
 libcdt4    - rich set of graph drawing tools - cdt library
 libcgraph5 - rich set of graph drawing tools - cgraph library
 libgraph4  - rich set of graph drawing tools - graph library
 libgraphviz-dev - graphviz libs and headers against which to build applications
 libgv-guile - Guile bindings for graphviz
 libgv-lua  - Lua bindings for graphviz
 libgv-perl - Perl bindings for graphviz
 libgv-php5 - PHP5 bindings for graphviz
 libgv-python - Python bindings for graphviz
 libgv-ruby - Ruby bindings for graphviz
 libgv-tcl  - Tcl bindings for graphviz
 libgvc5    - rich set of graph drawing tools - gvc library
 libgvc5-plugins-gtk - rich set of graph drawing tools - gtk plugins
 libgvpr1   - rich set of graph drawing tools - gvpr library
 libpathplan4 - rich set of graph drawing tools - pathplan library
 libxdot4   - rich set of graph drawing tools - xdot library
Closes: 772648
Changes: 
 graphviz (2.26.3-14+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-9157.patch patch (Closes: #772648)
      Format string vulnerability in the yyerror function in
      lib/cgraph/scan.l in Graphviz allows remote attackers to
      have unspecified impact via format string specifiers in
      unknown vector, which are not properly handled in an
      error string.
Checksums-Sha1: 
 dc4644d559e14d5c85e216fd39cf129413a1f5a0 3402 graphviz_2.26.3-14+deb7u2.dsc
 04503ac5a9eaa579859f0d017811fa245717edec 17092429 graphviz_2.26.3.orig.tar.gz
 86f59cc4b98eb9d4d51d22de679984ba77754dbc 54048 graphviz_2.26.3-14+deb7u2.debian.tar.gz
 158daf728b49ef13e7ef5b5109aab9077f9206df 2579040 graphviz-doc_2.26.3-14+deb7u2_all.deb
 4267a293ae932222393630473ca4277e6cb0036f 49342 graphviz-dev_2.26.3-14+deb7u2_all.deb
 558a89b0076ae37e7ade66eb2ec03ebc7a5eef7a 378266 graphviz_2.26.3-14+deb7u2_amd64.deb
 75b6d743b0fab265bef068f198030f648b990bf8 72690 libgv-guile_2.26.3-14+deb7u2_amd64.deb
 b8e56156c6fd33f96e5e0278c38aff7fd0bc3e7c 82450 libgv-lua_2.26.3-14+deb7u2_amd64.deb
 73fdb21f3adaaca8bc5e7831c274c5c356fc50a7 94978 libgv-perl_2.26.3-14+deb7u2_amd64.deb
 d9d2d354a8f72d0966f459f17f36f67c2a539846 81228 libgv-php5_2.26.3-14+deb7u2_amd64.deb
 ba6d22f1578654c36ad3ebcf974a65955f35a14e 113962 libgv-python_2.26.3-14+deb7u2_amd64.deb
 e9ac9ba896e15be194848f8defb8cc989bc38ccd 76442 libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 cb1b50470418faf4ed6fb5498b26c145005669be 668206 libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 477f2e25b4b4544b340902c9fc971674c9c3052e 73974 libgraph4_2.26.3-14+deb7u2_amd64.deb
 ee7b5729a5b7f3b6d4bc875383ab2c57830c09a1 88080 libcgraph5_2.26.3-14+deb7u2_amd64.deb
 14e1591242a21bb5008e1d229018f7a4d84b62cf 60034 libcdt4_2.26.3-14+deb7u2_amd64.deb
 0917a98b416c50b40580eeefca79e36e4e91c95d 65322 libpathplan4_2.26.3-14+deb7u2_amd64.deb
 b08f651f2800e860a83ae947a0399476825674bc 544450 libgvc5_2.26.3-14+deb7u2_amd64.deb
 fc3a41647e9a6ab45e796ca782724a8499cf7f97 62322 libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 814b3f4f90fe2cfc3cf14ee037e80d626a18ae52 244256 libgvpr1_2.26.3-14+deb7u2_amd64.deb
 11500edecb0c1a3cf2403c96ed6b659fe999d10c 54426 libxdot4_2.26.3-14+deb7u2_amd64.deb
 2478cb45836fb8391f6250259473780e3f9ba78b 104984 libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb
Checksums-Sha256: 
 62c7f290aa3594b0a605721d865855adc1353d80259dbf43ab468a06927d0fbd 3402 graphviz_2.26.3-14+deb7u2.dsc
 f410996e69b1095237c2128deae5fc7b6ce99055b095271abb14447bc2f37fa1 17092429 graphviz_2.26.3.orig.tar.gz
 6c312bd85dccf91bc6e113011a380a62470e5ab265cac701f3ea4c9297f67b22 54048 graphviz_2.26.3-14+deb7u2.debian.tar.gz
 45ffbbf17f704f81195cd36d2442085a3aeab8daf3d55d01bba2fbbb130b9ba0 2579040 graphviz-doc_2.26.3-14+deb7u2_all.deb
 b4e94ce73ffbe51334b7236c8564108514ab63d65f27259d95167484c4a08efa 49342 graphviz-dev_2.26.3-14+deb7u2_all.deb
 24a91a45a8af406c0293917f0b2867af1e4bee5c6cfd5cca4f7981ccc81a4b88 378266 graphviz_2.26.3-14+deb7u2_amd64.deb
 c7a8fc59f5e76369d30622e8283c8f9c0630c2dc1b2d448078e4f3f2a2bfa20b 72690 libgv-guile_2.26.3-14+deb7u2_amd64.deb
 628accd00741abe73731fbe0104ee82686d976758a755109172136db4afa2444 82450 libgv-lua_2.26.3-14+deb7u2_amd64.deb
 9bc13249ccac001d65d0beb2130050b56e7778cfd3e382d8c553bff4a0c6946b 94978 libgv-perl_2.26.3-14+deb7u2_amd64.deb
 f258d6e8acf8e72c026e70b2ef025a7e5c68619180315d8263a36e79414fd3c5 81228 libgv-php5_2.26.3-14+deb7u2_amd64.deb
 5e79c11d34af1c7b0ed293de7c1d77e7fdc54892ef89a7e6546a82701f241946 113962 libgv-python_2.26.3-14+deb7u2_amd64.deb
 729a8275941380e7c0cf338335b3f451dabbe54a62dc47a2929923d6cff8ccbb 76442 libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 09132c7ff8431f6e3fe666f61ea7fc8acdcb0b87fad83c5aa221d5b4254d94c1 668206 libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 fa128341536c86b4faab4eca7f0d6e315ea27b15f0cf4b309e3a463506b68ba4 73974 libgraph4_2.26.3-14+deb7u2_amd64.deb
 cfbc57fa3a2ff0353c2c4b6ddc6f79ab9f295c3f8fc9732ad3c547677f167062 88080 libcgraph5_2.26.3-14+deb7u2_amd64.deb
 a1ef9ddeebfd16c1d25519834d2ddf9a5f0bd483eaaed852070b54d88891ecee 60034 libcdt4_2.26.3-14+deb7u2_amd64.deb
 7556e61c153e5d2b2b2111bdb0f5806e83abc975a358a6ee1e665dbe37e28f62 65322 libpathplan4_2.26.3-14+deb7u2_amd64.deb
 06bc1ea952efa2114c01b1b6b672396df5d307d39e410c245c9a68b219ffbcef 544450 libgvc5_2.26.3-14+deb7u2_amd64.deb
 fad48bb7a5964c0b8bbbab05b94f16654fe7bacd12c6b70571b033662b003036 62322 libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 a19aea1c322ca85de5287bbbeaf60c90cec01304d71411b0e1be596652f200c6 244256 libgvpr1_2.26.3-14+deb7u2_amd64.deb
 09a6693324e9a4024ec306cbb44c466edfeed6def1c3f4971e64011b06a84713 54426 libxdot4_2.26.3-14+deb7u2_amd64.deb
 3307c9c6f280511bf33041211b7c3c789097342a46dce944e7ce7edf98c16e62 104984 libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb
Files: 
 a6678b238265b6fd5e02cd71f5bbffeb 3402 graphics optional graphviz_2.26.3-14+deb7u2.dsc
 6f45946fa622770c45609778c0a982ee 17092429 graphics optional graphviz_2.26.3.orig.tar.gz
 64a3501831e00a0bf19c3ad1db95ccce 54048 graphics optional graphviz_2.26.3-14+deb7u2.debian.tar.gz
 d42227ac695f0d8a82948d5036a4d155 2579040 doc optional graphviz-doc_2.26.3-14+deb7u2_all.deb
 9eb264469f55b1ba1e5e10e33016d19a 49342 devel optional graphviz-dev_2.26.3-14+deb7u2_all.deb
 1747c8ff6e29f23308ef51b9842a6931 378266 graphics optional graphviz_2.26.3-14+deb7u2_amd64.deb
 4726b6e1e3dbd1a86b518cc0e8cd472d 72690 interpreters optional libgv-guile_2.26.3-14+deb7u2_amd64.deb
 1c6569e3c32a64a535c63cce413d1d6f 82450 interpreters optional libgv-lua_2.26.3-14+deb7u2_amd64.deb
 c2d3e810693aa02637ff98b743eb8c44 94978 perl optional libgv-perl_2.26.3-14+deb7u2_amd64.deb
 288218de8e3c78f705ef4b6641beb348 81228 php optional libgv-php5_2.26.3-14+deb7u2_amd64.deb
 6bb064ef755fcbed7e6cb8ce4b14364a 113962 python optional libgv-python_2.26.3-14+deb7u2_amd64.deb
 4af05a031a61c32d8a496a535e762bb0 76442 ruby optional libgv-ruby_2.26.3-14+deb7u2_amd64.deb
 a2e866afd27b6e03b0231c29123988a4 668206 interpreters optional libgv-tcl_2.26.3-14+deb7u2_amd64.deb
 e8ac3c5027cfc48203f14531a96cee57 73974 libs optional libgraph4_2.26.3-14+deb7u2_amd64.deb
 361ea68066318b201ca78abacb2d47d8 88080 libs optional libcgraph5_2.26.3-14+deb7u2_amd64.deb
 db6cdc4d99e9be378a02ec7b5c246b41 60034 libs optional libcdt4_2.26.3-14+deb7u2_amd64.deb
 3167007a3952b6065f06c1902a152b7d 65322 libs optional libpathplan4_2.26.3-14+deb7u2_amd64.deb
 f8762af5513c642ebc278953b72372fe 544450 libs optional libgvc5_2.26.3-14+deb7u2_amd64.deb
 49181d1e6cc1b6eb15931e4942064080 62322 libs optional libgvc5-plugins-gtk_2.26.3-14+deb7u2_amd64.deb
 90c71d3da8194069479cdc548d9149dc 244256 libs optional libgvpr1_2.26.3-14+deb7u2_amd64.deb
 df32523c4e79b7cba44cec5b9fd78bbb 54426 libs optional libxdot4_2.26.3-14+deb7u2_amd64.deb
 d03ef9c1724724a77b6b6cacd4042e9d 104984 libdevel optional libgraphviz-dev_2.26.3-14+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUiJMdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHU98P/0om8fKjwgmHWNbdQFcdDjky
CxNAJXVpBWfe8JVTKWvKfUja7eR8ujSxq/+/0sGaH/6ASPVatMR26On1Did3KIjw
6gNAVehMVviOTmvcmtvvxHWQBtC93hv1l3TQ0PJ5cM1naFAWcQlbew89T5WM1Kp4
Gtfmt1I+kSD1AU18Sp4wCtMBp+LtIi6D9rqAr/xkKz7sJAqgLwKWB5aBdIiL1Kw3
oUqO5jZrM2mjaMKjTzKPt8OF2WhGSHkZFV1UhRC6Zr9OwtyBSD3qTDkISz8vYnGq
7zDJfe0Rr8GjoUbaQalilJ5CN+fCmW1R9PyOl9KWeRaLqS7yerK/UDeoN7bC4lCq
JYj0CVu39iJ1JQFlH518H3lfd3lRjYRRtlnYmhKdrzP/LIvSNSMpeUAwsPhli5ZJ
g/ZeR171ZCuDN272GES1KZefaTujeStaLkzxGtXKFGkqwMo90orEvZFYfowzDQCr
s1eF581StogO5ZeAqhGKtAYy/R2WCfqo852yiCxYys04FPGGtl6MrvhCqCqNQniW
d/IA3ir1uwtV4lzd8Ik3ohM+k6PhkEtycIiROiT4FHxtxFP6vOFzb5nRhbTGNFDR
61w4yiOEFILhBTDYCYip10lRqFhcpbEyIHDxstvnXROw+tDOO4b/Q1Vj4rmBzS9n
s7AgXO1eJ+CVbTTaR+2u
=ueIZ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 Jan 2015 07:30:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:28:11 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started