Funny enough that tools like graphviz qualify for CVE assignments :)
Do not get me wrong, I really like graphviz, its a great tool and I use it myself;
but probably like 2 scientists or 1 anti-terror fed plotting his graphs
in the whole world would be targeted attacked using dot files sent via mail I guess.
Seems like the initial fix:
https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a
also contains a sprintf() which is also later removed by commit
d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons.
And finally there also is:
/* chkNum:
* The regexp for NUMBER allows a terminating letter.
* This way we can catch a number immediately followed by a name
* and report this to the user.
*/
static int chkNum(void) {
unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
if (!isdigit(c) && (c != '.')) { /* c is letter */
char buf[BUFSIZ];
sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
strcat (buf, "splits into two name tokens\n");
agerr(AGWARN,buf);
return 1;
}
else return 0;
}
which also looks like a buffer overflow from user input; yet unfixed.
(the regex seems to accept arbitrary long digit list)
So for the 3 potential victims, we need to fix that too :)
Sebastian