Funny enough that tools like graphviz qualify for CVE assignments :)

Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.

Seems like the initial fix:

https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a

also contains a sprintf() which is also later removed by commit

d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.

And finally there also is:


/* chkNum:
 * The regexp for NUMBER allows a terminating letter.
 * This way we can catch a number immediately followed by a name
 * and report this to the user.
 */
static int chkNum(void) {
  unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
  if (!isdigit(c) && (c != '.')) {  /* c is letter */
        char    buf[BUFSIZ];
        sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
    strcat (buf, "splits into two name tokens\n");
        agerr(AGWARN,buf);
    return 1;
  }
  else return 0;
}


which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)

So for the 3 potential victims, we need to fix that too :)

Sebastian