CVE-2014-0978

Published: 10 January 2014

Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.

Notes

Author	Note
mdeslaur	this fix introduced CVE-2014-1235

Priority

Status

Package	Release	Status
graphviz Launchpad, Ubuntu, Debian	lucid	Released (2.20.2-8ubuntu3.1)
	precise	Released (2.26.3-10ubuntu1.1)
	quantal	Released (2.26.3-12ubuntu1.1)
	raring	Released (2.26.3-14ubuntu1.1)
	saucy	Released (2.26.3-15ubuntu4.1)
	upstream	Released (2.26.3-16)
	Patches: upstream: https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a

References

http://seclists.org/oss-sec/2014/q1/28
https://ubuntu.com/security/notices/USN-2083-1
https://www.cve.org/CVERecord?id=CVE-2014-0978
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734745
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0978

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›