PublicDateAtUSN: 2014-01-08
Candidate: CVE-2014-1235
PublicDate: 2017-08-07 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1235
 http://www.openwall.com/lists/oss-security/2014/01/08
 https://ubuntu.com/security/notices/USN-2083-1
Description:
 Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0
 allows remote attackers to execute arbitrary code or cause a denial of
 service (application crash) via a crafted file.  NOTE: This vulnerability
 exists due to an incomplete fix for CVE-2014-0978.
Ubuntu-Description:
Notes:
 mdeslaur> introduced by patch for CVE-2014-0978
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734745
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_graphviz:
 upstream: https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750
upstream_graphviz: needs-triage
lucid_graphviz: released (2.20.2-8ubuntu3.1)
precise_graphviz: released (2.26.3-10ubuntu1.1)
quantal_graphviz: released (2.26.3-12ubuntu1.1)
raring_graphviz: released (2.26.3-14ubuntu1.1)
saucy_graphviz: released (2.26.3-15ubuntu4.1)
devel_graphviz: not-affected (2.36.0-0ubuntu1)