packages/graphviz
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cve-2020-18032

Browse Source
This commit is contained in:
linker 2021-05-11 14:36:12 +08:00
parent 91c54fcc88
commit 2faeeb7f47
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
backport-CVE-2020-18032.patch Normal file
View File

@ -0,0 +1,40 @@
From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
From: Matthew Fernandez <matthew.fernandez@gmail.com>
Date: Sat, 25 Jul 2020 19:31:01 -0700
Subject: [PATCH] fix: out-of-bounds write on invalid label
When the label for a node cannot be parsed (due to it being malformed), it falls
back on the symbol name of the node itself. I.e. the default label the node
would have had if it had no label attribute at all. However, this is applied by
dynamically altering the node's label to "\N", a shortcut for the symbol name of
the node. All of this is fine, however if the hand written label itself is
shorter than the literal string "\N", not enough memory would have been
allocated to write "\N" into the label text.
Here we account for the possibility of error during label parsing, and assume
that the label text may need to be overwritten with "\N" after the fact. Fixes
issue #1700.
---
lib/common/shapes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/common/shapes.c b/lib/common/shapes.c
index 0a0635fc3..9dca9ba6e 100644
--- a/lib/common/shapes.c
+++ b/lib/common/shapes.c
@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
reclblp = ND_label(n)->text;
len = strlen(reclblp);
/* For some forgotten reason, an empty label is parsed into a space, so
- * we need at least two bytes in textbuf.
+ * we need at least two bytes in textbuf, as well as accounting for the
+ * error path involving "\\N" below.
*/
- len = MAX(len, 1);
+ len = MAX(MAX(len, 1), (int)strlen("\\N"));
textbuf = N_NEW(len + 1, char);
if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
--
GitLab

10
graphviz.spec
View File

@ -15,12 +15,14 @@
Name: graphviz Name: graphviz
Version: 2.44.1 Version: 2.44.1
Release: 2 Release: 3
Summary: Graph Visualization Tools Summary: Graph Visualization Tools
License: EPL License: EPL
URL: http://www.graphviz.org/ URL: http://www.graphviz.org/
Source0: https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz Source0: https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz
Patch6000: backport-CVE-2020-18032.patch
BuildRequires: ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33 BuildRequires: ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33
BuildRequires: zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3 BuildRequires: zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3
BuildRequires: python3-devel libXaw-devel libSM-devel libXext-devel java-devel pango-devel gmp-devel lua-devel gtk2-devel cairo-devel >= 1.1.10 BuildRequires: python3-devel libXaw-devel libSM-devel libXext-devel java-devel pango-devel gmp-devel lua-devel gtk2-devel cairo-devel >= 1.1.10
@ -267,6 +269,12 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
%changelog %changelog
* Tue May 11 2021 wangkerong <wangkerong@huawei.com> - 2.44.1-3
- Type:CVE
- ID:CVE-2020-18032
- SUG:NA
- DESC:fix cve-2020-18032
* Wed Oct 21 2020 jinzhimin<jinzhimin2@huawei.com> - 2.44.1-2 * Wed Oct 21 2020 jinzhimin<jinzhimin2@huawei.com> - 2.44.1-2
- remove graphviz-python2 subpackage - remove graphviz-python2 subpackage