main/graphviz: security fixes for CVE-2014-0978, CVE-2014-1235, CVE-2014-1236

fixes #2610

4 files changed, 155 insertions, 5 deletions

diff --git a/main/graphviz/APKBUILD b/main/graphviz/APKBUILD
index c6a123ed3a..ad89ce8260 100644
--- a/main/graphviz/APKBUILD
+++ b/main/graphviz/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=graphviz
 pkgver=2.34.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Graph Visualization Tools"
 url="http://www.graphviz.org/"
 arch="all"
@@ -16,7 +16,11 @@ install=""
 subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py lua-$pkgname:_lua
 	$pkgname-gtk $pkgname-graphs"
 source="http://www.graphviz.org/pub/graphviz/stable/SOURCES/graphviz-$pkgver.tar.gz
-	0001-clone-nameclash.patch"
+	0001-clone-nameclash.patch
+	CVE-2014-0978.patch
+	CVE-2014-1235.patch
+	CVE-2014-1236.patch
+	"
 
 _builddir="$srcdir"/graphviz-$pkgver
 prepare() {
@@ -107,8 +111,17 @@ graphs() {
 		"$subpkgdir"/usr/share/graphviz/
 }
 md5sums="a8a54f8abac5bcdafd9a568e85a086d6  graphviz-2.34.0.tar.gz
-bce8a9ae4c3a8c52c1bcf0e03d5ce364  0001-clone-nameclash.patch"
+bce8a9ae4c3a8c52c1bcf0e03d5ce364  0001-clone-nameclash.patch
+f30088b180fd736be279f985b9949feb  CVE-2014-0978.patch
+cd1c4cd0b0f459add16e3dffa448d1eb  CVE-2014-1235.patch
+f94705247b1afe760c5e63352467b65f  CVE-2014-1236.patch"
 sha256sums="d94abca5745aa4c5808ab56cd3d0ec9ed14fb76a5a88d39e1f234fa84d22d764  graphviz-2.34.0.tar.gz
-2b6c8186bf2799658494428d68597f63b91799f37809cbe59d8adcab60c27363  0001-clone-nameclash.patch"
+2b6c8186bf2799658494428d68597f63b91799f37809cbe59d8adcab60c27363  0001-clone-nameclash.patch
+df061d73d19437930316bb347b3508f411e4499171552dc45be100e13524d0ca  CVE-2014-0978.patch
+78b0545dd0d42e689dffac8ce27f20bc6589eb97017e850da0e3615b049158d3  CVE-2014-1235.patch
+33b929b284a3eed68313755c570b868971ef81e154f895735993f4a80082be2b  CVE-2014-1236.patch"
 sha512sums="73dc8c25bc5747fda717d6d2162a8b37bf883544a13b487354a6000d528816a69a021f33cbeec0f6e718a7e9905ab2a04ee63f787ca7f79226055b2da21f4832  graphviz-2.34.0.tar.gz
-aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d  0001-clone-nameclash.patch"
+aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d  0001-clone-nameclash.patch
+a6dde91b11e277b9df717ea61cea9772ec9a0bcb23c530803869a641b3827f3fc889a37c33c47c9df90bd584810225daf518d7f19cc2b9a72d038ec03b2adfab  CVE-2014-0978.patch
+1bb4f6dd214a48251fcdd05d71ea2bb5f1086837eaca35efcd638669d04e7a6c0de0d519db65145deee5ed9faa099b28a4417b7a3cc92502ae333151c3fcc251  CVE-2014-1235.patch
+8f3e5a2f97ac4255fdb830c9351225967d5f946b40ef8dd061554aaeea0bb39a5d9498baa2d36539cb06906e04cdbe1db2a1ceee093efe718ebde87d6de0fbd0  CVE-2014-1236.patch"
diff --git a/main/graphviz/CVE-2014-0978.patch b/main/graphviz/CVE-2014-0978.patch
new file mode 100644
index 0000000000..f8bb983738
--- /dev/null
+++ b/main/graphviz/CVE-2014-0978.patch
@@ -0,0 +1,53 @@
+From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Fri, 4 Oct 2013 09:06:39 -0400
+Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
+ with a very long input line
+
+---
+ lib/cgraph/scan.l | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3cfde0f..2efd203 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -16,6 +16,7 @@
+ %{
+ #include <grammar.h>
+ #include <cghdr.h>
++#include <agxbuf.h>
+ #include <ctype.h>
+ #define GRAPH_EOF_TOKEN		'@'		/* lex class must be defined below */
+ 	/* this is a workaround for linux flex */
+@@ -191,13 +192,21 @@ ID		({NAME}|{NUMBER})
+ %%
+ void yyerror(char *str)
+ {
++	unsigned char	xbuf[BUFSIZ];
+ 	char	buf[BUFSIZ];
+-	if (InputFile)
+-		sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num,
+-			str,line_num,yytext);
+-	else
+-		sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+-	agerr(AGWARN,buf);
++	agxbuf  xb;
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++	if (InputFile) {
++		agxbput (&xb, InputFile);
++		agxbput (&xb, ": ");
++	}
++	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, buf);
++	agxbput (&xb, yytext);
++	agxbput (&xb,"'\n");
++	agerr(AGWARN,agxbuse(&xb));
++	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
+ void aglexeof() { unput(GRAPH_EOF_TOKEN); }
+-- 
+1.8.5.1
+
diff --git a/main/graphviz/CVE-2014-1235.patch b/main/graphviz/CVE-2014-1235.patch
new file mode 100644
index 0000000000..4f1faf4df4
--- /dev/null
+++ b/main/graphviz/CVE-2014-1235.patch
@@ -0,0 +1,26 @@
+From d266bb2b4154d11c27252b56d86963aef4434750 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Tue, 7 Jan 2014 10:45:36 -0500
+Subject: [PATCH] Prevent possible buffer overflow in yyerror()
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3efe1d5..212967c 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -201,7 +201,8 @@ void yyerror(char *str)
+ 		agxbput (&xb, InputFile);
+ 		agxbput (&xb, ": ");
+ 	}
+-	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, str);
++	sprintf(buf," in line %d near '", line_num);
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-- 
+1.8.5.1
+
diff --git a/main/graphviz/CVE-2014-1236.patch b/main/graphviz/CVE-2014-1236.patch
new file mode 100644
index 0000000000..ad58569a9b
--- /dev/null
+++ b/main/graphviz/CVE-2014-1236.patch
@@ -0,0 +1,58 @@
+From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Wed, 8 Jan 2014 11:31:04 -0500
+Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
+
+---
+ lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 212967c..d065b61 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -129,15 +129,32 @@ static void ppDirective (void)
+  * and report this to the user.
+  */
+ static int chkNum(void) {
+-  unsigned char	c = (unsigned char)yytext[yyleng-1];   /* last character */
+-  if (!isdigit(c) && (c != '.')) {  /* c is letter */
+-	char	buf[BUFSIZ];
+-	sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
+-    strcat (buf, "splits into two name tokens\n");
+-	agerr(AGWARN,buf);
+-    return 1;
+-  }
+-  else return 0;
++    unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
++    if (!isdigit(c) && (c != '.')) {  /* c is letter */
++	unsigned char xbuf[BUFSIZ];
++	char buf[BUFSIZ];
++	agxbuf  xb;
++	char* fname;
++
++	if (InputFile)
++	    fname = InputFile;
++	else
++	    fname = "input";
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++
++	agxbput(&xb,"syntax ambiguity - badly delimited number '");
++	agxbput(&xb,yytext);
++	sprintf(buf,"' in line %d of ", line_num);
++	agxbput(&xb,buf);
++	agxbput(&xb,fname);
++	agxbput(&xb, " splits into two tokens\n");
++	agerr(AGWARN,agxbuse(&xb));
++
++	agxbfree(&xb);
++	return 1;
++    }
++    else return 0;
+ }
+ 
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
+-- 
+1.8.5.1
+