[bug#48385] [PATCH] gnu: Graphviz: Fix CVE-2020-18032.

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

* [bug#48385] [PATCH] gnu: Graphviz: Fix CVE-2020-18032.
@ 2021-05-12 22:29 Leo Famulari
  2021-05-15 23:15 ` bug#48385: " Leo Famulari
  0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2021-05-12 22:29 UTC (permalink / raw)
  To: 48385

* gnu/packages/patches/graphviz-CVE-2020-18032.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/graphviz.scm (graphviz)[replacement]: New field.
(graphviz/fixed): New variable.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/graphviz.scm                     | 10 ++++
 .../patches/graphviz-CVE-2020-18032.patch     | 49 +++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 gnu/packages/patches/graphviz-CVE-2020-18032.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 01d495d41d..5601b5b698 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1164,6 +1164,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gpodder-disable-updater.patch		\
   %D%/packages/patches/gpsbabel-fix-i686-test.patch		\
   %D%/packages/patches/grantlee-merge-theme-dirs.patch		\
+  %D%/packages/patches/graphviz-CVE-2020-18032.patch		\
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/grocsvs-dont-use-admiral.patch		\
   %D%/packages/patches/gromacs-tinyxml2.patch			\
diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm
index eb3fd1d583..72c96655bc 100644
--- a/gnu/packages/graphviz.scm
+++ b/gnu/packages/graphviz.scm
@@ -62,6 +62,7 @@
 (define-public graphviz
   (package
     (name "graphviz")
+    (replacement graphviz/fixed)
     (version "2.42.3")
     (source (origin
               (method url-fetch)
@@ -126,6 +127,15 @@ software engineering, database and web design, machine learning, and in visual
 interfaces for other technical domains.")
     (license license:epl1.0)))
 
+(define-public graphviz/fixed
+  (hidden-package
+    (package
+      (inherit graphviz)
+      (source (origin
+                (inherit (package-source graphviz))
+                (patches (append (search-patches "graphviz-CVE-2020-18032.patch")
+                                 (origin-patches (package-source graphviz)))))))))
+
 ;; Older Graphviz needed for pygraphviz.  See
 ;; https://github.com/pygraphviz/pygraphviz/issues/175
 (define-public graphviz-2.38
diff --git a/gnu/packages/patches/graphviz-CVE-2020-18032.patch b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
new file mode 100644
index 0000000000..4cf94a9a36
--- /dev/null
+++ b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
@@ -0,0 +1,49 @@
+Fix CVE-2020-18032:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-18032
+https://gitlab.com/graphviz/graphviz/-/issues/1700
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
+
+From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Sat, 25 Jul 2020 19:31:01 -0700
+Subject: [PATCH] fix: out-of-bounds write on invalid label
+
+When the label for a node cannot be parsed (due to it being malformed), it falls
+back on the symbol name of the node itself. I.e. the default label the node
+would have had if it had no label attribute at all. However, this is applied by
+dynamically altering the node's label to "\N", a shortcut for the symbol name of
+the node. All of this is fine, however if the hand written label itself is
+shorter than the literal string "\N", not enough memory would have been
+allocated to write "\N" into the label text.
+
+Here we account for the possibility of error during label parsing, and assume
+that the label text may need to be overwritten with "\N" after the fact. Fixes
+issue #1700.
+---
+ lib/common/shapes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+     reclblp = ND_label(n)->text;
+     len = strlen(reclblp);
+     /* For some forgotten reason, an empty label is parsed into a space, so
+-     * we need at least two bytes in textbuf.
++     * we need at least two bytes in textbuf, as well as accounting for the
++     * error path involving "\\N" below.
+      */
+-    len = MAX(len, 1);
++    len = MAX(MAX(len, 1), (int)strlen("\\N"));
+     textbuf = N_NEW(len + 1, char);
+     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ 	agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
+-- 
+2.31.1
+
-- 
2.31.1





^ permalink raw reply related	[flat|nested] 2+ messages in thread

* bug#48385: [PATCH] gnu: Graphviz: Fix CVE-2020-18032.
  2021-05-12 22:29 [bug#48385] [PATCH] gnu: Graphviz: Fix CVE-2020-18032 Leo Famulari
@ 2021-05-15 23:15 ` Leo Famulari
  0 siblings, 0 replies; 2+ messages in thread
From: Leo Famulari @ 2021-05-15 23:15 UTC (permalink / raw)
  To: 48385-done

Pushed as 7c4c781aa40c42d4cd10b8d9482199f3db345e1b




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-05-15 23:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-12 22:29 [bug#48385] [PATCH] gnu: Graphviz: Fix CVE-2020-18032 Leo Famulari
2021-05-15 23:15 ` bug#48385: " Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).