OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/graphviz?expand=0&rev=27

graphviz-fix_gstack_overflow.patch

@@ -0,0 +1,22 @@
+--- lib/graph/parser.y	2007-09-07 08:05:44.000000000 -0400
++++ lib/graph/parser.y	2008-10-07 14:40:07.000000000 -0400
+@@ -31,7 +31,8 @@
+ static Agnode_t		*N;
+ static Agedge_t		*E;
+ static objstack_t	*SP;
+-static Agraph_t		*Gstack[32];
++#define GSTACK_SIZE 64
++static Agraph_t         *Gstack[GSTACK_SIZE];
+ static int			GSP;
+ 
+ static void subgraph_warn (void)
+@@ -44,6 +45,9 @@
+ 
+ static void push_subg(Agraph_t *g)
+ {
++	if (GSP >= GSTACK_SIZE) {
++		agerr (AGERR, "Gstack overflow in graph parser\n"); exit(1);
++	}
+ 	G = Gstack[GSP++] = g;
+ }
+ 

graphviz-plugins.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Oct 13 15:04:23 CEST 2008 - pth@suse.de
+
+- Fix vulnerability that allowed overflowing gstack (bnc#433747)
+
 -------------------------------------------------------------------
 Wed Sep 17 10:09:10 CEST 2008 - dmueller@suse.de
 

graphviz-plugins.spec

@@ -30,7 +30,7 @@ BuildRequires:  graphviz gtkglext-devel libglade2-devel libgnomeui-devel
 BuildRequires:  fdupes
 %endif
 Version:        2.20.2
-Release:        4
+Release:        5
 AutoReqProv:    on
 Summary:        Graph Visualization Tools
 Group:          Productivity/Graphics/Visualization/Graph
@@ -40,6 +40,8 @@ Patch0:         graphviz-fix-pkgIndex.patch
 Patch3:         graphviz-neato_splines.patch
 Patch11:        graphviz-%{version}-interpreter_names.patch
 Patch13:        graphviz-stddefs.patch
+#Any version after 2.20.2 will contain the following patch
+Patch14:        graphviz-fix_gstack_overflow.patch
 #Patches above 100 are graphviz-plugins specific.
 Patch100:       graphviz-plugins-fix_install_dirs.patch
 Patch101:       graphviz-plugins-tcl_install_dir.patch
@@ -363,6 +365,7 @@ Authors:
 %patch3
 %patch11
 %patch13
+%patch14
 %patch100
 %patch101
 %patch103
@@ -553,6 +556,8 @@ done
 %doc __doc/*
 
 %changelog
+* Mon Oct 13 2008 pth@suse.de
+- Fix vulnerability that allowed overflowing gstack (bnc#433747)
 * Wed Sep 17 2008 dmueller@suse.de
 - fix python version detection
 * Thu Aug 14 2008 ro@suse.de

graphviz.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Oct 13 15:03:50 CEST 2008 - pth@suse.de
+
+- Fix vulnerability that allowed overflowing gstack (bnc#433747)
+
 -------------------------------------------------------------------
 Thu Jul 10 12:11:47 CEST 2008 - pth@suse.de
 

graphviz.spec

@@ -25,7 +25,7 @@ BuildRequires:  xorg-x11-libICE-devel xorg-x11-libSM-devel xorg-x11-libXpm-devel
 BuildRequires:  xorg-x11-libX11-devel xorg-x11-libXext-devel xorg-x11-libXmu-devel xorg-x11-libXt-devel
 PreReq:         /bin/rm
 Version:        2.20.2
-Release:        41
+Release:        42
 AutoReqProv:    on
 Summary:        Graph Visualization Tools
 Group:          Productivity/Graphics/Visualization/Graph
@@ -35,6 +35,8 @@ Patch0:         graphviz-fix-pkgIndex.patch
 Patch3:         graphviz-neato_splines.patch
 Patch11:        graphviz-%{version}-interpreter_names.patch
 Patch13:        graphviz-stddefs.patch
+#Any version after 2.20.2 will contain the following patch
+Patch14:        graphviz-fix_gstack_overflow.patch
 Url:            http://www.graphviz.org/
 License:        IBM Public License
 Prefix:         /usr
@@ -90,6 +92,7 @@ Authors:
 %patch3
 %patch11
 %patch13
+%patch14
 # Fix path in generated man pages
 sed -e 's$@LIB_DIR@$%{_libdir}$g' tclpkg/gv/gv_doc_langs.tcl >tclpkg/gv/gv_doc_langs.tcl.new && mv tclpkg/gv/gv_doc_langs.tcl.new tclpkg/gv/gv_doc_langs.tcl
 # remove broken macros
@@ -204,6 +207,8 @@ if ! test -x $RPM_INSTALL_PREFIX0/bin/dot; then rm -f $RPM_INSTALL_PREFIX0/%{_li
 %{_mandir}/man3/*.3.gz
 
 %changelog
+* Mon Oct 13 2008 pth@suse.de
+- Fix vulnerability that allowed overflowing gstack (bnc#433747)
 * Thu Jul 10 2008 pth@suse.de
 - Update to 2.20.2. Changes since 2.18:
   2.20.2: