USN-5264-1: Graphviz vulnerabilities
3 February 2022
Several security issues were fixed in graphviz.
Releases
Packages
- graphviz - rich set of graph drawing tools
Details
It was discovered that graphviz contains null pointer dereference
vulnerabilities. Exploitation via a specially crafted input file
can cause a denial of service.
(CVE-2018-10196, CVE-2019-11023)
It was discovered that graphviz contains a buffer overflow
vulnerability. Exploitation via a specially crafted input file can cause
a denial of service or possibly allow for arbitrary code execution.
(CVE-2020-18032)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
graphviz
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcdt5
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcgraph6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6-plugins-gtk
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvpr2
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libpathplan4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libxdot4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5971-1: libxdot4, graphviz-dev, libcdt5, libgv-python, libgvc6, libgvpr2, graphviz-doc, libgv-tcl, liblab-gamut1, libgvc6-plugins-gtk, libgv-lua, python-gv, libgv-perl, graphviz, libgv-php5, libpathplan4, libcgraph6, libgv-php7, libgv-ruby, libgv-guile, libgraphviz-dev, python3-gv