Advisory: Graphviz Buffer Overflow Code Execution Oct 08 2008 06:51PM
roeeh il ibm com
The graphviz team has just released a patch to a critical security issue

I reported to them.

The following is the advisory (also available at

http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execut
ion.html):

Background

==========

Graphviz is an open-source multi-platform graph visualization software. It

takes a description of graphs in a simple text format (DOT language), and

makes diagrams out of it in several useful formats (including SVG).

Description

===========

A vulnerability exists in Graphviz's parsing engine which makes it possible to

overflow a globally allocated array and corrupt memory by doing so.

parser.y (Graphviz 2.20.2):

34: static Agraph_t *Gstack[32];

35: static int GSP;

45: static void push_subg(Agraph_t *g)

46: {

47: G = Gstack[GSP++] = g;

48: }

As it can be seen, no bounds check is performed by the push_svg procedure,

allowing one to overflow Gstack by pushing more than 32 (Agraph_t *)

elements.

Impact/Severity

===============

A malicious user can achieve an arbitrary code execution by creating a

specially crafted DOT file and convince the victim to render it using Graphviz.

Affected versions

=================

Graphviz 2.20.2 is affected by this vulnerability. Older version are probably

affected as well.

Workaround

===========

Version 2.20.3 has been released in order to address this issue. A bounds check

has been added in order to avoid an overflow.

parser.y (Graphviz 2.20.3):

34: #define GSTACK_SIZE 64

35: static Agraph_t *Gstack[GSTACK_SIZE];

36: static int GSP;

45:

46: static void push_subg(Agraph_t *g)

47: {

48: if (GSP >= GSTACK_SIZE) {

49: agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1);

50: }

51: G = Gstack[GSP++] = g;

52: }

Acknowledgements

================

I would like to thank the Graphviz team (Stephen C. North, John Ellson,

Emden R. Gansner and others) for their quick responses and fix (it took them

only a day since my disclosure to release a patch!).

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus