that qiomkfile creates at runtime. Depending on system activity prior
to invocation, the new file may contain sensitive information.
ANALYSIS
qiomkfile will write the unitialized data to a dot-file whose name is provided
as an argument. Varying the numeric values passed to qiomkfile on the
command-line through the -s and -h flags will cause disparate chunks of
file system memory to be written to the dot-file. According to C99,
(7.20.3.3.2) "The malloc function allocates space for an object whose
size is specified by size and whose value is indeterminate."
Synopsis
========
A buffer overflow in Graphviz might lead to user-assisted execution of
arbitrary code via a DOT file.
Background
==========
Graphviz is an open source graph visualization software.
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
properly validate a server-provided filename before determining the
destination filename of a download, which allows remote servers to
create or overwrite arbitrary files via a Content-Disposition header
that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a dotfile in a home directory
(CVE-2010-2251).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
A vulnerability was discovered and corrected in graphviz:
Stack-based buffer overflow in the push_subg function in parser.y
(lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions,
allows user-assisted remote attackers to cause a denial of service
(memory corruption) or execute arbitrary code via a DOT file with a
large number of Agraph_t elements (CVE-2008-4555).
This update provides a fix for this vulnerability.
Update:
PoC attack on a wget cron job resulting in a .bash_profile overwrite:
http://www.openwall.com/lists/oss-security/2010/05/18/13
Brief description of an attack on a wget cron job not involving a
dot-file nor a home directory (but involving a website tree instead):
http://lists.gnu.org/archive/html/bug-wget/2010-05/msg00032.html
Advice on back-porting lftp's fix to versions 3.4.7 through 4.0.5:
http://www.openwall.com/lists/oss-security/2010/05/20/2
http://www.openwall.com/lists/oss-security/2010/06/10/1
elements.
Impact/Severity
===============
A malicious user can achieve an arbitrary code execution by creating a
specially crafted DOT file and convince the victim to render it using Graphviz.
Affected versions
=================
Graphviz 2.20.2 is affected by this vulnerability. Older version are probably
A vulnerability was discovered and corrected in graphviz:
Stack-based buffer overflow in the push_subg function in parser.y
(lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions,
allows user-assisted remote attackers to cause a denial of service
(memory corruption) or execute arbitrary code via a DOT file with a
large number of Agraph_t elements (CVE-2008-4555).
This update provides a fix for this vulnerability.
_______________________________________________________________________
