lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 8 Oct 2008 21:05:34 +0200
From: Roee Hay <ROEEH@...ibm.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Adi Sharabani <adi.sharabani@...ibm.com>, Yair Amit <AMITYAIR@...ibm.com>
Subject: Advisory: Graphviz Buffer Overflow Code Execution

The Graphviz team has just released a patch to a critical security issue
I reported to them. 

The following is the advisory (also available at
http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html
):

Background 
==========
Graphviz is an open-source multi-platform graph visualization software. It
takes a description of graphs in a simple text format (DOT language), and
makes diagrams out of it in several useful formats (including SVG).

Description 
===========
A vulnerability exists in Graphviz's parsing engine which makes it 
possible to
overflow a globally allocated array and corrupt memory by doing so.

parser.y (Graphviz 2.20.2):

  34:  static Agraph_t        *Gstack[32];
  35:  static int            GSP;
  45:  static void push_subg(Agraph_t *g)
  46:  {
  47:       G = Gstack[GSP++] = g;
  48:  }
 
  As it can be seen, no bounds check is performed by the push_svg 
procedure,
  allowing one to overflow Gstack by pushing more than 32 (Agraph_t *)
  elements.

Impact/Severity
===============
A malicious user can achieve an arbitrary code execution by creating a
specially crafted DOT file and convince the victim to render it using 
Graphviz. 


Affected versions
=================
Graphviz 2.20.2 is affected by this vulnerability. Older version are 
probably
affected as well.

Workaround
===========
Version 2.20.3 has been released in order to address this issue. A bounds 
check
has been added in order to avoid an overflow.

parser.y (Graphviz 2.20.3):

  34:  #define GSTACK_SIZE 64
  35:  static Agraph_t      *Gstack[GSTACK_SIZE];
  36:  static int            GSP;
  45:
  46:  static void push_subg(Agraph_t *g)
  47:  {
  48:      if (GSP >= GSTACK_SIZE) {
  49:          agerr (AGERR, "Gstack overflow in graph parser\n"); 
exit(1);
  50:      }
  51:      G = Gstack[GSP++] = g;
  52:  }
 
Acknowledgements
================
I would like to thank the Graphviz team (Stephen C. North, John Ellson,
Emden R. Gansner and others) for their quick responses and fix (it took 
them
only a day since my disclosure to release a patch!).
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ