Vulnerability score of Graph viz showing as 9.3 based on bugs CVE-2014-0978 and CVE-2014-1236

Vulnerability score of Graph viz showing as 9.3 based on bugs CVE-2014-0978 and CVE-2014-1236 from link https://www.us-cert.gov/ncas/bulletins/SB14-013 . Is this fixed in latest version of Graphviz (i.e) 2.38 ?

is this issue does not exist in earlier versions?

Is there any way to fix this issues?

When is 2.39 version planned to release

Can you please let us know when is 2.39 version planned to be released?

These issues have all been

These issues have all been addressed is the current working version.

Current version details?

Current working version menas Graphviz 2.38 release?

No, 2.38 is a release

No, 2.38 is a release version. The current working version is 2.39. The latter contains all the necessary updates.

Two major vulnarability issues not resolved

 The vulnerability defects   CVE-2014-0978 and CVE-2014-1236 reported have high severity levels, is there any special reason that these issues have not been fixed even after 2 years?

These problems have been

These problems have been fixed and are part of the 2.39 working version, as well as the source. 2.39 is available in binary from the Graphviz site for most versions of Linux, and from both macports and home brew for OSX. There is currently work going on to provide a 2.39 version for Windows.

As to why we have not yet made a 2.40 release version or provided a fixed Windows binary, the company we worked for fired/forced out/re-assigned everyone working on Graphviz. Our current jobs give us only a minimal amount of time to support Graphviz, plus we lost access to many of the computing resources we relied on.

2.39 Release date

What is the planned release date for 2.39 version?

There will never be a release

There will never be a release of 2.39. Our approach is to use odd-numbered point releases as a working version, with new builds every day. The next release version will be 2.40. Typically, the working version is pretty solid and, if a major problem is detected, we fix it as soon as possible. As for when we will release 2.40, I'm not sure given the constraints on our time. Of late, we have mostly been concentrating on "fixing" our web site, i.e., moving as much as possible to github.

link for 2.39 release download

Hi - Thanks for the update. Can you please provide me the link on Graphviz site for 2.39 version download for Redhat Linux OS.I can see only 2.38 version download links on graphviz site.

Also can you please give me a link which will confirm that  bugs CVE-2014-0978 and CVE-2014-1236  have been fixed.

In above post, you have mentioned that 2.39 version for windows is still in progress , however while searching on internet I have found link http://www.download82.com/download/windows/graphviz/ which have download for 2.39 version for windows.Is this link reliable?

Sorry, our build process

Sorry, our build process broke. It is fixed now. See http://www.graphviz.org/Download_linux_rhel.php

I don't have an official link, but here is the relevant part of the log file for scan.l:

 

commit 495f781f91dca1fb165bbaa6abc0ced1c09535c8
Author: Tomas Hoger <[email protected]>
Date:   Wed May 20 11:15:32 2015 +0200

    Fix agerr() format string issue in chkNum()

    Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
    same fix is also needed for chkNum().  In chkNum(), format string can be
    injected at least via malicious file name:

      $ cat fs4-%n%s%s%s%s%s%s.dot
      graph G { a [ weight = 0g ] }

      $ dot fs4-%n%s%s%s%s%s%s.dot
      Warning: *** %n in writable segment detected ***
      Aborted

commit 99eda421f7ddc27b14e4ac1d2126e5fe41719081
Author: Emden R. Gansner <[email protected]>
Date:   Mon Nov 24 14:32:58 2014 -0500

    Fix format string vulnerability in using agerr() to report errors during parsing.
    We now use a fixed format %s, and pass the error string as an argument.

As for the Windows version you found, we were totally unaware of it, so thanks for the pointer. However, we have no idea who did this or its general provenance, so you would be using it your own risk.

Recent comments