[NEWS] Graphviz Buffer Overflow Code Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Graphviz Buffer Overflow Code Execution
------------------------------------------------------------------------


SUMMARY

<http://www.graphviz.org/> Graphviz is "an open-source multi-platform
graph visualization software. It takes a description of graphs in a simple
text format (DOT language), and makes diagrams out of it in several useful
formats (including SVG)". A vulnerability exists in Graphviz's parsing
engine which makes it possible to overflow a globally allocated array and
corrupt memory by doing so.

DETAILS

Vulnerable Systems:
* Graphviz version 2.20.2

Immune Systems:
* Graphviz version 2.20.3

A vulnerability exists in Graphviz's parsing engine which makes it
possible to overflow a globally allocated array and corrupt memory by
doing so.

parser.y (Graphviz 2.20.2):

34: static Agraph_t *Gstack[32];
35: static int GSP;
45: static void push_subg(Agraph_t *g)
46: {
47: G = Gstack[GSP++] = g;
48: }

As it can be seen, no bounds check is performed by the push_svg procedure,
allowing one to overflow Gstack by pushing more than 32 (Agraph_t *)
elements.

Impact/Severity:
A malicious user can achieve an arbitrary code execution by creating a
specially crafted DOT file and convince the victim to render it using
Graphviz.

Solution:
A bounds check has been added in order to avoid an overflow, it can be
seen in the parser.y file (Graphviz 2.20.3):
34: #define GSTACK_SIZE 64
35: static Agraph_t *Gstack[GSTACK_SIZE];
36: static int GSP;
45:
46: static void push_subg(Agraph_t *g)
47: {
48: if (GSP >= GSTACK_SIZE) {
49: agerr (AGERR, "Gstack overflow in graph parser\n");
exit(1);
50: }
51: G = Gstack[GSP++] = g;
52: }


ADDITIONAL INFORMATION

The information has been provided by <mailto:roeeh@xxxxxxxxxx> Roee Hay.
The original article can be found at:
<http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html> http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.