Hi David, And attached the last one also for unstable. For unstable it might be good to also include Moritz' patch to enable hardening flags additionally (it will need a further patch on top of it though).
Are you working on the issues; or do you need help? Regards, Salvatore
diff -Nru graphviz-2.26.3/debian/changelog graphviz-2.26.3/debian/changelog --- graphviz-2.26.3/debian/changelog 2013-12-23 18:55:30.000000000 +0100 +++ graphviz-2.26.3/debian/changelog 2014-01-11 15:41:52.000000000 +0100 @@ -1,3 +1,15 @@ +graphviz (2.26.3-16.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add CVE-2014-1235.patch patch. + CVE-2014-1235: buffer overflow vulnerability in yyerror() introduced by + original fix for CVE-2014-0978. (Closes: #734745) + * Add CVE-2014-1236.patch patch. + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) (Closes: #734745) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 11 Jan 2014 15:41:31 +0100 + graphviz (2.26.3-16) unstable; urgency=medium * Add patch cherry-picked from upstream's github - fixes buffer diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-1235.patch graphviz-2.26.3/debian/patches/CVE-2014-1235.patch --- graphviz-2.26.3/debian/patches/CVE-2014-1235.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-1235.patch 2014-01-11 15:41:52.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Fix buffer overflow in yyerror() + CVE-2014-1235: buffer overflow vulnerability in yyerror() introduced by + original fix for CVE-2014-0978 +Origin: upstream, https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750 +Bug-Debian: http://bugs.debian.org/734745 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1050871 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -203,7 +203,8 @@ + agxbput (&xb, InputFile); + agxbput (&xb, ": "); + } +- sprintf(buf," %s in line %d near '", str,line_num); ++ agxbput (&xb, str); ++ sprintf(buf," in line %d near '", line_num); + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); diff -Nru graphviz-2.26.3/debian/patches/CVE-2014-1236.patch graphviz-2.26.3/debian/patches/CVE-2014-1236.patch --- graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphviz-2.26.3/debian/patches/CVE-2014-1236.patch 2014-01-11 15:41:52.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Fix possible buffer overflow problem in chkNum of scanner + CVE-2014-1236: buffer overflow from user input (the regexp in chkNum + would accept arbitrary long digit list) +Origin: backport, https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff +Bug-Debian: http://bugs.debian.org/734745 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1050872 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-11 + +--- a/lib/cgraph/scan.l ++++ b/lib/cgraph/scan.l +@@ -131,15 +131,32 @@ + * and report this to the user. + */ + static int chkNum(void) { +- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ +- if (!isdigit(c) && (c != '.')) { /* c is letter */ +- char buf[BUFSIZ]; +- sprintf(buf,"syntax error - badly formed number '%s' in line %d\n",yytext,line_num); +- strcat (buf, "splits into two name tokens"); +- agerr(AGWARN,buf); +- return 1; +- } +- else return 0; ++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ ++ if (!isdigit(c) && (c != '.')) { /* c is letter */ ++ unsigned char xbuf[BUFSIZ]; ++ char buf[BUFSIZ]; ++ agxbuf xb; ++ char* fname; ++ ++ if (InputFile) ++ fname = InputFile; ++ else ++ fname = "input"; ++ ++ agxbinit(&xb, BUFSIZ, xbuf); ++ ++ agxbput(&xb,"syntax ambiguity - badly delimited number '"); ++ agxbput(&xb,yytext); ++ sprintf(buf,"' in line %d of ", line_num); ++ agxbput(&xb,buf); ++ agxbput(&xb,fname); ++ agxbput(&xb, " splits into two tokens\n"); ++ agerr(AGWARN,agxbuse(&xb)); ++ ++ agxbfree(&xb); ++ return 1; ++ } ++ else return 0; + } + + /* The LETTER class below consists of ascii letters, underscore, all non-ascii diff -Nru graphviz-2.26.3/debian/patches/series graphviz-2.26.3/debian/patches/series --- graphviz-2.26.3/debian/patches/series 2013-12-23 18:54:30.000000000 +0100 +++ graphviz-2.26.3/debian/patches/series 2014-01-11 15:41:52.000000000 +0100 @@ -17,3 +17,5 @@ kfreebsd-hang.patch use-system-ltdl.patch buffer_overflow.patch +CVE-2014-1235.patch +CVE-2014-1236.patch
