graphviz Multiple buffer overflow chkNum and sprintf

2014.01.11
Credit: Sebastian
Risk: High
Local: Yes
Remote: No
CWE: CWE-119

Funny enough that tools like graphviz qualify for CVE assignments :) Do not get me wrong, I really like graphviz, its a great tool and I use it myself; but probably like 2 scientists or 1 anti-terror fed plotting his graphs in the whole world would be targeted attacked using dot files sent via mail I guess. Seems like the initial fix: https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a also contains a sprintf() which is also later removed by commit d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons. And finally there also is: /* chkNum: * The regexp for NUMBER allows a terminating letter. * This way we can catch a number immediately followed by a name * and report this to the user. */ static int chkNum(void) { unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ if (!isdigit(c) && (c != '.')) { /* c is letter */ char buf[BUFSIZ]; sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile); strcat (buf, "splits into two name tokens\n"); agerr(AGWARN,buf); return 1; } else return 0; } which also looks like a buffer overflow from user input; yet unfixed. (the regex seems to accept arbitrary long digit list) So for the 3 potential victims, we need to fix that too :) Sebastian

References:

https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top