[NEWS] Graphviz Buffer Overflow Code Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Graphviz Buffer Overflow Code Execution
------------------------------------------------------------------------


SUMMARY

<http://www.graphviz.org/> Graphviz is "an open-source multi-platform
graph visualization software. It takes a description of graphs in a simple
text format (DOT language), and makes diagrams out of it in several useful
formats (including SVG)". A vulnerability exists in Graphviz's parsing
engine which makes it possible to overflow a globally allocated array and
corrupt memory by doing so.

DETAILS

Vulnerable Systems:
* Graphviz version 2.20.2

Immune Systems:
* Graphviz version 2.20.3

A vulnerability exists in Graphviz's parsing engine which makes it
possible to overflow a globally allocated array and corrupt memory by
doing so.

parser.y (Graphviz 2.20.2):

34: static Agraph_t *Gstack[32];
35: static int GSP;
45: static void push_subg(Agraph_t *g)
46: {
47: G = Gstack[GSP++] = g;
48: }

As it can be seen, no bounds check is performed by the push_svg procedure,
allowing one to overflow Gstack by pushing more than 32 (Agraph_t *)
elements.

Impact/Severity:
A malicious user can achieve an arbitrary code execution by creating a
specially crafted DOT file and convince the victim to render it using
Graphviz.

Solution:
A bounds check has been added in order to avoid an overflow, it can be
seen in the parser.y file (Graphviz 2.20.3):
34: #define GSTACK_SIZE 64
35: static Agraph_t *Gstack[GSTACK_SIZE];
36: static int GSP;
45:
46: static void push_subg(Agraph_t *g)
47: {
48: if (GSP >= GSTACK_SIZE) {
49: agerr (AGERR, "Gstack overflow in graph parser\n");
exit(1);
50: }
51: G = Gstack[GSP++] = g;
52: }


ADDITIONAL INFORMATION

The information has been provided by <mailto:roeeh@xxxxxxxxxx> Roee Hay.
The original article can be found at:
<http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html> http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Winamp ID3v2 Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer overflow vulnerability when processing ... control the EAX register, ...
    (Securiteam)
  • [NT] Citrix Program Neighborhood Name Heap Corruption
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix Program Neighborhood Name Heap Corruption ... Exploitation of a heap overflow vulnerability in Citrix, ...
    (Securiteam)
  • [NT] Novell eDirectory Multiple Vulnerabilities (dhost.exe)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Novell eDirectory Core Protocol Opcode 0x24 Heap Overflow Vulnerability ...
    (Securiteam)
  • [NT] IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow ... A vulnerability allows remote attackers to execute arbitrary code on ...
    (Securiteam)
  • [NEWS] Mac OS X Server NeST Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability in Mac OS X NeST will result in execution ... Vendor Status: ...
    (Securiteam)