-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:254-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : graphviz Date : December 5, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in graphviz: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements (CVE-2008-4555). This update provides a fix for this vulnerability. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4555 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 66513a7de994941334cb9978ef45b7d4 2008.0/i586/graphviz-2.12-6.1mdv2008.0.i586.rpm 15389ed7995925ff6259431515b243a2 2008.0/i586/graphviz-doc-2.12-6.1mdv2008.0.i586.rpm b396a868cf088e657346e71b031f44e4 2008.0/i586/libgraphviz3-2.12-6.1mdv2008.0.i586.rpm 1425b473e0dedb8c932789d650e0c422 2008.0/i586/libgraphviz-devel-2.12-6.1mdv2008.0.i586.rpm 688e71bbf9e31c4dabcb949cf837d7db 2008.0/i586/libgraphvizlua0-2.12-6.1mdv2008.0.i586.rpm 4951fc7c6b55c6bd1d43ad155f8237de 2008.0/i586/libgraphvizperl0-2.12-6.1mdv2008.0.i586.rpm 05909fd4aab2819a71b34a6c2f3a3fc8 2008.0/i586/libgraphvizphp0-2.12-6.1mdv2008.0.i586.rpm d4592f3bc8999d959b2ed6aa876dbc68 2008.0/i586/libgraphvizpython0-2.12-6.1mdv2008.0.i586.rpm 97c611b99148ce0dcde376848d934242 2008.0/i586/libgraphvizruby0-2.12-6.1mdv2008.0.i586.rpm 9c380373a067793f37f79d90bd0c3748 2008.0/i586/libgraphviz-static-devel-2.12-6.1mdv2008.0.i586.rpm d83afe7a2cbbf72d495b231bdf6c64ab 2008.0/i586/libgraphviztcl0-2.12-6.1mdv2008.0.i586.rpm fea4aca29cfaaceffc5f99ffd3e6e52e 2008.0/SRPMS/graphviz-2.12-6.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: e0cd3f43cd6022b37c65b32a44edcbec 2008.0/x86_64/graphviz-2.12-6.1mdv2008.0.x86_64.rpm 1c297b2eaadcd86a12ddbe010868be62 2008.0/x86_64/graphviz-doc-2.12-6.1mdv2008.0.x86_64.rpm 2d4f853e7e19d0b6adbe2daa91c0ae25 2008.0/x86_64/lib64graphviz3-2.12-6.1mdv2008.0.x86_64.rpm 50d617d1c796dd1a09c551b95246eb1f 2008.0/x86_64/lib64graphviz-devel-2.12-6.1mdv2008.0.x86_64.rpm ef79a36bba2c3591dab7b6eb49ac7079 2008.0/x86_64/lib64graphvizlua0-2.12-6.1mdv2008.0.x86_64.rpm 7584dd077e94340d5fbb70a01d67e256 2008.0/x86_64/lib64graphvizperl0-2.12-6.1mdv2008.0.x86_64.rpm 37cc9f451193e4cf3160169890c43fa5 2008.0/x86_64/lib64graphvizphp0-2.12-6.1mdv2008.0.x86_64.rpm d7c0a823e05da80dc2686d08573157b3 2008.0/x86_64/lib64graphvizpython0-2.12-6.1mdv2008.0.x86_64.rpm b6c220c08353bc544a1f51d9dd722277 2008.0/x86_64/lib64graphvizruby0-2.12-6.1mdv2008.0.x86_64.rpm ce066b8e7d6906cf5010b6f7ce795246 2008.0/x86_64/lib64graphviz-static-devel-2.12-6.1mdv2008.0.x86_64.rpm 7f13f94606b95405faca672feea36f16 2008.0/x86_64/lib64graphviztcl0-2.12-6.1mdv2008.0.x86_64.rpm fea4aca29cfaaceffc5f99ffd3e6e52e 2008.0/SRPMS/graphviz-2.12-6.1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLGmTmmqjQ0CJFipgRAvUIAKCUvzm24mw9PvCsXoDnW5mfvqpBOgCfYpQD 52KII6WS0xXBcNmzCerF8Vo= =MDeI -----END PGP SIGNATURE-----
