CVE-2019-9904
Published: 21 March 2019
An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
Notes
| Author | Note |
|---|---|
| iconstantin | No clear fix identified by upstream as of 2022-01-27 |
| ccdm94 | according to upstream in a comment in issue 1512, the PoC does not reproduce in Linux starting with version 2.46.0. A new reproducer was requested, but no answer has been provided to this request, and the issue was closed without an explicit patch being provided. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
graphviz Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(end of life)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| hirsute |
Ignored
(end of life)
|
|
| xenial |
Deferred
(2022-01-27)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| lunar |
Needs triage
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| mantic |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |