CVE-2014-1235

EUVD-2014-1313
Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted file.  NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-0978.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
graphvizgraphviz
2.34.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
graphviz
bookworm
2.42.2-7+deb12u1
fixed
bullseye
2.42.2-5+deb11u1
fixed
sid
2.42.4-2
fixed
squeeze
not-affected
trixie
2.42.4-2
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
graphviz
lucid
Fixed 2.20.2-8ubuntu3.1
released
precise
Fixed 2.26.3-10ubuntu1.1
released
quantal
Fixed 2.26.3-12ubuntu1.1
released
raring
Fixed 2.26.3-14ubuntu1.1
released
saucy
Fixed 2.26.3-15ubuntu4.1
released
Common Weakness Enumeration
References
http://seclists.org/oss-sec/2014/q1/54
http://www.securityfocus.com/bid/64736
https://bugzilla.redhat.com/show_bug.cgi?id=1050871
https://exchange.xforce.ibmcloud.com/vulnerabilities/90198
https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750
https://security.gentoo.org/glsa/201702-06
http://seclists.org/oss-sec/2014/q1/54
http://www.securityfocus.com/bid/64736
https://bugzilla.redhat.com/show_bug.cgi?id=1050871
https://exchange.xforce.ibmcloud.com/vulnerabilities/90198
https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750
https://security.gentoo.org/glsa/201702-06