Mandriva Linux Security Advisory 2015-187 - Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. Additionally the gtkglarea2 and gtkglext packages were missing and was required for graphviz to build, these packages are also being provided with this advisory.
94dd81e7f7093f530045667750dd5276b5b1945c8f0a3623466b7d64491119dc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:187
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : graphviz
Date : April 1, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated graphviz packages fix security vulnerability:
Format string vulnerability in the yyerror function in
lib/cgraph/scan.l in Graphviz allows remote attackers to have
unspecified impact via format string specifiers in unknown vector,
which are not properly handled in an error string (CVE-2014-9157).
Additionally the gtkglarea2 and gtkglext packages were missing and
was required for graphviz to build, these packages are also being
provided with this advisory.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157
http://advisories.mageia.org/MGASA-2014-0520.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
9bafda1801998f26c9de8715a5b4f229 mbs2/x86_64/graphviz-2.34.0-7.1.mbs2.x86_64.rpm
69d0e786218156bda6ce3ae386ce7ece mbs2/x86_64/java-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
970a121e1ad3396d744b729ccf0ae80c mbs2/x86_64/lib64cdt5-2.34.0-7.1.mbs2.x86_64.rpm
2defc0a9c1b055d4c8aeddbb30d29212 mbs2/x86_64/lib64cgraph6-2.34.0-7.1.mbs2.x86_64.rpm
517a130b8db8d596acc58c67889bbb2a mbs2/x86_64/lib64graphviz-devel-2.34.0-7.1.mbs2.x86_64.rpm
b622bf72651687ff76529d5c79416057 mbs2/x86_64/lib64gtkgl2.0_1-2.0.1-6.mbs2.x86_64.rpm
e697fb1ccf65f78abed726a76baa8bd3 mbs2/x86_64/lib64gtkgl-devel-2.0.1-6.mbs2.x86_64.rpm
3c736ee01ead6eca0ee34dd4144c5bcb mbs2/x86_64/lib64gtkglext-1.0_0-1.2.0-17.mbs2.x86_64.rpm
ad99471421e44c95c0e88520eabf6368 mbs2/x86_64/lib64gtkglext-devel-1.2.0-17.mbs2.x86_64.rpm
2a6b3ed54c0bbf4ce7657a7295baf5af mbs2/x86_64/lib64gvc6-2.34.0-7.1.mbs2.x86_64.rpm
affcfec0d5c47c4d7f40b6433afb9e3a mbs2/x86_64/lib64gvpr2-2.34.0-7.1.mbs2.x86_64.rpm
b3d9803dc5be936b4977fcd07fd8c286 mbs2/x86_64/lib64pathplan4-2.34.0-7.1.mbs2.x86_64.rpm
281a1f3ecbcc2936040a964884a022a9 mbs2/x86_64/lib64xdot4-2.34.0-7.1.mbs2.x86_64.rpm
ce23e49e1b648587fe6b7ea091b1dce8 mbs2/x86_64/lua-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
ada3a4bc05689b2e99ffedb93adf3376 mbs2/x86_64/ocaml-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
a53d3cefebcaaccd64733ecd44b5acc7 mbs2/x86_64/perl-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
acfac83dc5cfe4e6dd36d8d93833424e mbs2/x86_64/php-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
908183bccda9074dd050d2db15ec3aea mbs2/x86_64/python-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
5310a33b0b1366631f627314264eee6a mbs2/x86_64/ruby-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
ed47d6081c39dfa6ca44aabb09c6b44e mbs2/x86_64/tcl-graphviz-2.34.0-7.1.mbs2.x86_64.rpm
6c1cbbd3de624c944dc68d353d9eda8d mbs2/SRPMS/graphviz-2.34.0-7.1.mbs2.src.rpm
c59bd68ec8a4cbc245c931cc066f2b08 mbs2/SRPMS/gtkglarea2-2.0.1-6.mbs2.src.rpm
493dd7182d4bfc70d0844ecd5fdd8cfc mbs2/SRPMS/gtkglext-1.2.0-17.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVHOFhmqjQ0CJFipgRAp3wAKC/nwsWD2XGCGzHzr43aX2s2WtZXgCfUYv1
tJI66Kv6DodNHXOLJHD0Iag=
=x1Q3
-----END PGP SIGNATURE-----