Package: graphviz / 2.38.0-17

CVE-2014-9157.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
Bug-Debian: https://bugs.debian.org/772648
Forwarded: no
Author: Emden R. Gansner
Last-Update: 2014-12-10

---
 lib/cgraph/scan.l |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -225,7 +225,7 @@ void yyerror(char *str)
 	agxbput (&xb, buf);
 	agxbput (&xb, yytext);
 	agxbput (&xb,"'\n");
-	agerr(AGERR,agxbuse(&xb));
+	agerr(AGERR, "%s", agxbuse(&xb));
 	agxbfree(&xb);
 }
 /* must be here to see flex's macro defns */