Scientific Linux Security Update : graphviz on SL5.x i386/x86_64

high Nessus Plugin ID 60694

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements. (CVE-2008-4555)

Note: graphviz-ocaml is no longer supported in the SL version of graphiviz. This is because ocaml was never included. If you do have graphviz-ocaml installed, you will have to remove it before doing this update.

Note: This update is already in SL 5.4

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?9d072e9f

Plugin Details

Severity: High

ID: 60694

File Name: sl_20091111_graphviz_on_SL5_x.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Reference Information

CVE: CVE-2008-4555

CWE: 119