CVE-2014-9157

Published: 3 December 2014

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.

Priority

Status

Package	Release	Status
graphviz Launchpad, Ubuntu, Debian	upstream	Needs triage
	lucid	Released (2.20.2-8ubuntu3.2)
	precise	Released (2.26.3-10ubuntu1.2)
	trusty	Released (2.36.0-0ubuntu3.1)
	utopic	Released (2.38.0-5ubuntu0.1)
	Patches: upstream: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081

References

http://openwall.com/lists/oss-security/2014/12/09/16
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157
https://ubuntu.com/security/notices/USN-2435-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›