From patchwork Wed May 12 22:29:27 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Leo Famulari <leo@famulari.name>
X-Patchwork-Id: 29271
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 9105727BC82; Wed, 12 May 2021 23:30:50 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 0B1FE27BC81
	for <patchwork@mira.cbaines.net>; Wed, 12 May 2021 23:30:50 +0100 (BST)
Received: from localhost ([::1]:38748 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1lgxNR-0004cw-6M
	for patchwork@mira.cbaines.net; Wed, 12 May 2021 18:30:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:42984)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lgxMg-0004GG-Fb
 for guix-patches@gnu.org; Wed, 12 May 2021 18:30:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:57497)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lgxMg-00030V-4i
 for guix-patches@gnu.org; Wed, 12 May 2021 18:30:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lgxMg-0004ue-1C
 for guix-patches@gnu.org; Wed, 12 May 2021 18:30:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#48385] [PATCH] gnu: Graphviz: Fix CVE-2020-18032.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 12 May 2021 22:30:01 +0000
Resent-Message-ID: <handler.48385.B.162085859018841@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 48385
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 48385@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.162085859018841
 (code B ref -1); Wed, 12 May 2021 22:30:01 +0000
Received: (at submit) by debbugs.gnu.org; 12 May 2021 22:29:50 +0000
Received: from localhost ([127.0.0.1]:40810 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lgxMP-0004tl-QU
 for submit@debbugs.gnu.org; Wed, 12 May 2021 18:29:50 -0400
Received: from lists.gnu.org ([209.51.188.17]:39378)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lgxMO-0004td-0v
 for submit@debbugs.gnu.org; Wed, 12 May 2021 18:29:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:42952)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lgxMN-0003uj-Pc
 for guix-patches@gnu.org; Wed, 12 May 2021 18:29:43 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:54885)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lgxMJ-0002lH-AF
 for guix-patches@gnu.org; Wed, 12 May 2021 18:29:43 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 4E9BF5C0134;
 Wed, 12 May 2021 18:29:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Wed, 12 May 2021 18:29:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding; s=mesmtp; bh=A4QYUj2wnpw9yVrTRGFXu8Z
 CiwfXmQoPfqmCXq+pSJU=; b=tUuYwU16BgiN7rTHiom4I9qxxPYCKFifL6iWRXO
 eSXTMlif68bkNhrUE2N4eaCsYoQDTi9HUGBCBq+PFponD6baimQbjsCB7zZOUmLw
 X5eANZXBc2Hs32tS27EOBag8MUTWPQE7c0/Bky06x8vK9+58QyRUI3odTFw7DsLb
 1SIU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=A4QYUj2wnpw9yVrTR
 GFXu8ZCiwfXmQoPfqmCXq+pSJU=; b=UxPcnmgpnCZOmnOE8VK4CQYU3NdYjnitq
 AeNOBrg37plp9+xfhrts6lBxAE06fF1I+nxZHgXQWmr1Lpxaa+FJ8jQ1xgbpBNj3
 /R0cxfjuTqPJL9TK2blbZG2Axyu7cY2SJsBF3nxh9l2t/7/z93rvV4VGm+/1G13X
 IE80n2Dwfwy2wsCPs5d/eu8MQE1CeXoovGN4YE2gNjz+ScXqZHVjn1Lr4N6uFBbh
 uYYhdr33VfPyc60KQEXHuRhNHWBW/0uBEwCJx+5kTZtjWTdWZ+xCUyUc0ptk+4EX
 JhJYKE/EPlxkfeyGfmu4wmHyrxFLd470l91Lyuey2DeR8JDPB94YA==
X-ME-Sender: <xms:z1acYJE6uJU5B6xfLP-cwshUzbHBrngiQT2hIMRMt7QkuEqtHTCsAw>
 <xme:z1acYOVRsUcANj6FfqYLoHsgub7BgtuUazlXV6jFaPu2N7rISC-Yt0zDiZXvhW2ZW
 z6cSax3THb_R336yQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeduledrvdehfedgtdelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre
 dttdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi
 rdhnrghmvgeqnecuggftrfgrthhtvghrnhepjeeiledttdffkedvuedvieduudekgeeuke
 egkeejudejledvgedujeduhfejvdehnecuffhomhgrihhnpehgihhthhhusgdrtghomhdp
 mhhithhrvgdrohhrghdpghhithhlrggsrdgtohhmnecukfhppedutddtrdduuddrudeile
 druddukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm
 pehlvghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:z1acYLL0j-IPcODM0cv3Ue4cxiO13t8z91_JV-_JyWQ8SlA52K-ALQ>
 <xmx:z1acYPGHHgIWVlUSV8s5AhsITN607fcQfJdlR3Q-aZVgdz8el-znlQ>
 <xmx:z1acYPUrkuGQZoWWhGU6LE1f8gefS5yXgnoLmLlR9iDXd1sOAOOn2g>
 <xmx:0FacYHgGZctmt2_H21Wv8J6soj2t6Fxj_XKi_HKpOMPdVh2qLsX9Hw>
Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA
 for <guix-patches@gnu.org>; Wed, 12 May 2021 18:29:35 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
Date: Wed, 12 May 2021 18:29:27 -0400
Message-Id: 
 <f1d79929de53d89b9e2ebbed43ccf07f8896cef9.1620858567.git.leo@famulari.name>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Received-SPF: pass client-ip=66.111.4.26; envelope-from=leo@famulari.name;
 helo=out2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

* gnu/packages/patches/graphviz-CVE-2020-18032.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/graphviz.scm (graphviz)[replacement]: New field.
(graphviz/fixed): New variable.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/graphviz.scm                     | 10 ++++
 .../patches/graphviz-CVE-2020-18032.patch     | 49 +++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 gnu/packages/patches/graphviz-CVE-2020-18032.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 01d495d41d..5601b5b698 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1164,6 +1164,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gpodder-disable-updater.patch		\
   %D%/packages/patches/gpsbabel-fix-i686-test.patch		\
   %D%/packages/patches/grantlee-merge-theme-dirs.patch		\
+  %D%/packages/patches/graphviz-CVE-2020-18032.patch		\
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/grocsvs-dont-use-admiral.patch		\
   %D%/packages/patches/gromacs-tinyxml2.patch			\
diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm
index eb3fd1d583..72c96655bc 100644
--- a/gnu/packages/graphviz.scm
+++ b/gnu/packages/graphviz.scm
@@ -62,6 +62,7 @@
 (define-public graphviz
   (package
     (name "graphviz")
+    (replacement graphviz/fixed)
     (version "2.42.3")
     (source (origin
               (method url-fetch)
@@ -126,6 +127,15 @@ software engineering, database and web design, machine learning, and in visual
 interfaces for other technical domains.")
     (license license:epl1.0)))
 
+(define-public graphviz/fixed
+  (hidden-package
+    (package
+      (inherit graphviz)
+      (source (origin
+                (inherit (package-source graphviz))
+                (patches (append (search-patches "graphviz-CVE-2020-18032.patch")
+                                 (origin-patches (package-source graphviz)))))))))
+
 ;; Older Graphviz needed for pygraphviz.  See
 ;; https://github.com/pygraphviz/pygraphviz/issues/175
 (define-public graphviz-2.38
diff --git a/gnu/packages/patches/graphviz-CVE-2020-18032.patch b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
new file mode 100644
index 0000000000..4cf94a9a36
--- /dev/null
+++ b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
@@ -0,0 +1,49 @@
+Fix CVE-2020-18032:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-18032
+https://gitlab.com/graphviz/graphviz/-/issues/1700
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
+
+From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Sat, 25 Jul 2020 19:31:01 -0700
+Subject: [PATCH] fix: out-of-bounds write on invalid label
+
+When the label for a node cannot be parsed (due to it being malformed), it falls
+back on the symbol name of the node itself. I.e. the default label the node
+would have had if it had no label attribute at all. However, this is applied by
+dynamically altering the node's label to "\N", a shortcut for the symbol name of
+the node. All of this is fine, however if the hand written label itself is
+shorter than the literal string "\N", not enough memory would have been
+allocated to write "\N" into the label text.
+
+Here we account for the possibility of error during label parsing, and assume
+that the label text may need to be overwritten with "\N" after the fact. Fixes
+issue #1700.
+---
+ lib/common/shapes.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common/shapes.c b/lib/common/shapes.c
+index 0a0635fc3..9dca9ba6e 100644
+--- a/lib/common/shapes.c
++++ b/lib/common/shapes.c
+@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
+     reclblp = ND_label(n)->text;
+     len = strlen(reclblp);
+     /* For some forgotten reason, an empty label is parsed into a space, so
+-     * we need at least two bytes in textbuf.
++     * we need at least two bytes in textbuf, as well as accounting for the
++     * error path involving "\\N" below.
+      */
+-    len = MAX(len, 1);
++    len = MAX(MAX(len, 1), (int)strlen("\\N"));
+     textbuf = N_NEW(len + 1, char);
+     if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
+ 	agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
+-- 
+2.31.1
+