Graphviz Stack Buffer Overflow Code Execution

Aleph Research Advisory

Identifier

CVE-2008-4555

Severity

High

Product

Graphviz

Vulnerable Version

Verified on Graphviz 2.20.2

Mitigation

Install version 2.20.3 or later.

Technical Details

A vulnerability exists in Graphviz’s parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so.

parser.y (Graphviz 2.20.2):
  
  static Agraph_t *Gstack[32];
  static int GSP; 
  
  static void push_subg(Agraph_t *g)
  {
    G = Gstack[GSP++] = g;
  }

As it can be seen, no bounds check is performed by the push_subg procedure, allowing one to overflow Gstack by pushing more than 32 (Agraph_ *) elements.

A malicious user can achieve an arbitrary code execution by creating a specially crafted DOT file and convince the victim to render it using Graphviz.

Timeline

01-Mar-17
: Added as ALEPH-2008001.
08-Oct-08
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

securityresear.ch