CVE-2014-1235 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Graphviz

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121 — Stack-based Buffer Overflow10 documents7 sources

Severity

7.8HIGHNVD

OSV9.3

EPSS

0.9%

top 24.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Graphviz Debian Graphviz

Timeline

PublishedAug 7

Latest updateMay 17

Description

Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted file. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-0978.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/graphviz< graphviz 2.26.3-16.1 (bookworm)

▶Debiangraphviz/graphviz< 2.26.3-16.1+3

▶NVDgraphviz/graphviz2.34.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: security.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-w89c-3qr4-xm84: Stack-based buffer overflow in the "yyerror" function in Graphviz 2↗2022-05-17

▶

OSV

CVE-2014-1235: Stack-based buffer overflow in the "yyerror" function in Graphviz 2↗2017-08-07

▶

📋Vendor Advisories

Ubuntu

Graphviz vulnerabilities↗2014-01-16

▶

Red Hat

graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978↗2014-01-08

▶

Debian

CVE-2014-1235: graphviz - Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0 allows ...↗2014

▶

💬Community

Bugzilla

CVE-2014-1235 CVE-2014-1236 graphviz: various flaws [fedora-all]↗2014-01-09

▶

Bugzilla

CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978↗2014-01-09

▶

Bugzilla

CVE-2014-1235 CVE-2014-1236 graphviz: various flaws [epel-5]↗2014-01-09

▶

Bugzilla

CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror()↗2014-01-07

▶