USN-5264-1: Graphviz vulnerabilities
3 February 2022
Several security issues were fixed in graphviz.
Releases
Packages
- graphviz - rich set of graph drawing tools
Details
It was discovered that graphviz contains null pointer dereference
vulnerabilities. Exploitation via a specially crafted input file
can cause a denial of service.
(CVE-2018-10196, CVE-2019-11023)
It was discovered that graphviz contains a buffer overflow
vulnerability. Exploitation via a specially crafted input file can cause
a denial of service or possibly allow for arbitrary code execution.
(CVE-2020-18032)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
graphviz
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcdt5
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcgraph6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6-plugins-gtk
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvpr2
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libpathplan4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libxdot4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5971-1: libgv-lua, libgv-python, libgraphviz-dev, libgvpr2, python-gv, libgv-tcl, python3-gv, libgv-php7, graphviz-doc, libpathplan4, libgv-perl, libcgraph6, libgv-guile, libgvc6-plugins-gtk, libcdt5, graphviz, graphviz-dev, libgv-ruby, libxdot4, libgv-php5, liblab-gamut1, libgvc6