USN-5264-1: Graphviz vulnerabilities
3 February 2022
Several security issues were fixed in graphviz.
Releases
Packages
- graphviz - rich set of graph drawing tools
Details
It was discovered that graphviz contains null pointer dereference
vulnerabilities. Exploitation via a specially crafted input file
can cause a denial of service.
(CVE-2018-10196, CVE-2019-11023)
It was discovered that graphviz contains a buffer overflow
vulnerability. Exploitation via a specially crafted input file can cause
a denial of service or possibly allow for arbitrary code execution.
(CVE-2020-18032)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
graphviz
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcdt5
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libcgraph6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvc6-plugins-gtk
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libgvpr2
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libpathplan4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
-
libxdot4
-
2.38.0-12ubuntu2.1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5971-1: liblab-gamut1, libgv-guile, graphviz-doc, libcdt5, python3-gv, libgvpr2, libcgraph6, libgvc6-plugins-gtk, libgv-php7, libgv-python, libgv-perl, python-gv, graphviz-dev, libgv-tcl, libgraphviz-dev, libgv-lua, libgv-php5, libgvc6, graphviz, libpathplan4, libxdot4, libgv-ruby