From 7c4c781aa40c42d4cd10b8d9482199f3db345e1b Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 12 May 2021 18:21:19 -0400 Subject: gnu: Graphviz: Fix CVE-2020-18032. * gnu/packages/patches/graphviz-CVE-2020-18032.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/graphviz.scm (graphviz)[replacement]: New field. (graphviz/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/graphviz.scm | 10 +++++ gnu/packages/patches/graphviz-CVE-2020-18032.patch | 49 ++++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 gnu/packages/patches/graphviz-CVE-2020-18032.patch diff --git a/gnu/local.mk b/gnu/local.mk index c3b0274945..97b4dd77f6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1164,6 +1164,7 @@ dist_patch_DATA = \ %D%/packages/patches/gpodder-disable-updater.patch \ %D%/packages/patches/gpsbabel-fix-i686-test.patch \ %D%/packages/patches/grantlee-merge-theme-dirs.patch \ + %D%/packages/patches/graphviz-CVE-2020-18032.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ %D%/packages/patches/grocsvs-dont-use-admiral.patch \ %D%/packages/patches/gromacs-tinyxml2.patch \ diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm index eb3fd1d583..72c96655bc 100644 --- a/gnu/packages/graphviz.scm +++ b/gnu/packages/graphviz.scm @@ -62,6 +62,7 @@ (define-public graphviz (package (name "graphviz") + (replacement graphviz/fixed) (version "2.42.3") (source (origin (method url-fetch) @@ -126,6 +127,15 @@ software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.") (license license:epl1.0))) +(define-public graphviz/fixed + (hidden-package + (package + (inherit graphviz) + (source (origin + (inherit (package-source graphviz)) + (patches (append (search-patches "graphviz-CVE-2020-18032.patch") + (origin-patches (package-source graphviz))))))))) + ;; Older Graphviz needed for pygraphviz. See ;; https://github.com/pygraphviz/pygraphviz/issues/175 (define-public graphviz-2.38 diff --git a/gnu/packages/patches/graphviz-CVE-2020-18032.patch b/gnu/packages/patches/graphviz-CVE-2020-18032.patch new file mode 100644 index 0000000000..4cf94a9a36 --- /dev/null +++ b/gnu/packages/patches/graphviz-CVE-2020-18032.patch @@ -0,0 +1,49 @@ +Fix CVE-2020-18032: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-18032 +https://gitlab.com/graphviz/graphviz/-/issues/1700 + +Patch copied from upstream source repository: + +https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b + +From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Sat, 25 Jul 2020 19:31:01 -0700 +Subject: [PATCH] fix: out-of-bounds write on invalid label + +When the label for a node cannot be parsed (due to it being malformed), it falls +back on the symbol name of the node itself. I.e. the default label the node +would have had if it had no label attribute at all. However, this is applied by +dynamically altering the node's label to "\N", a shortcut for the symbol name of +the node. All of this is fine, however if the hand written label itself is +shorter than the literal string "\N", not enough memory would have been +allocated to write "\N" into the label text. + +Here we account for the possibility of error during label parsing, and assume +that the label text may need to be overwritten with "\N" after the fact. Fixes +issue #1700. +--- + lib/common/shapes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/common/shapes.c b/lib/common/shapes.c +index 0a0635fc3..9dca9ba6e 100644 +--- a/lib/common/shapes.c ++++ b/lib/common/shapes.c +@@ -3546,9 +3546,10 @@ static void record_init(node_t * n) + reclblp = ND_label(n)->text; + len = strlen(reclblp); + /* For some forgotten reason, an empty label is parsed into a space, so +- * we need at least two bytes in textbuf. ++ * we need at least two bytes in textbuf, as well as accounting for the ++ * error path involving "\\N" below. + */ +- len = MAX(len, 1); ++ len = MAX(MAX(len, 1), (int)strlen("\\N")); + textbuf = N_NEW(len + 1, char); + if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) { + agerr(AGERR, "bad label format %s\n", ND_label(n)->text); +-- +2.31.1 + -- cgit v1.2.3