Mandriva Linux Security Advisory : graphviz (MDVSA-2009:254-1)

high Nessus Plugin ID 41961

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A vulnerability was discovered and corrected in graphviz :

Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements (CVE-2008-4555).

This update provides a fix for this vulnerability.

Update :

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 41961

File Name: mandriva_MDVSA-2009-254.nasl

Version: 1.16

Type: local

Published: 10/2/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:graphviz, p-cpe:/a:mandriva:linux:graphviz-doc, p-cpe:/a:mandriva:linux:lib64graphviz-devel, p-cpe:/a:mandriva:linux:lib64graphviz-static-devel, p-cpe:/a:mandriva:linux:lib64graphviz3, p-cpe:/a:mandriva:linux:lib64graphvizlua0, p-cpe:/a:mandriva:linux:lib64graphvizperl0, p-cpe:/a:mandriva:linux:lib64graphvizphp0, p-cpe:/a:mandriva:linux:lib64graphvizpython0, p-cpe:/a:mandriva:linux:lib64graphvizruby0, p-cpe:/a:mandriva:linux:lib64graphviztcl0, p-cpe:/a:mandriva:linux:libgraphviz-devel, p-cpe:/a:mandriva:linux:libgraphviz-static-devel, p-cpe:/a:mandriva:linux:libgraphviz3, p-cpe:/a:mandriva:linux:libgraphvizlua0, p-cpe:/a:mandriva:linux:libgraphvizperl0, p-cpe:/a:mandriva:linux:libgraphvizphp0, p-cpe:/a:mandriva:linux:libgraphvizpython0, p-cpe:/a:mandriva:linux:libgraphvizruby0, p-cpe:/a:mandriva:linux:libgraphviztcl0, cpe:/o:mandriva:linux:2008.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/5/2009

Reference Information

CVE: CVE-2008-4555

BID: 31648

CWE: 119

MDVSA: 2009:254-1