Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87d2k2s8k1.fsf@windlord.stanford.edu>
Date: Wed, 08 Jan 2014 09:11:10 -0800
From: Russ Allbery <eagle@...ie.org>
To: oss-security@...ts.openwall.com
Cc: ratulg@...hat.com,  erg@...m.mit.edu
Subject: Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()

Sebastian Krahmer <krahmer@...e.de> writes:

> Funny enough that tools like graphviz qualify for CVE assignments :)

> Do not get me wrong, I really like graphviz, its a great tool and I use
> it myself; but probably like 2 scientists or 1 anti-terror fed plotting
> his graphs in the whole world would be targeted attacked using dot files
> sent via mail I guess.

I wouldn't be so certain.  :)  I've gotten dot files in email a fair bit
while working on free software projects since it's a really useful way of
expressing dependency trees and similar structures.  So the possibility of
a targetted exploit is there, particularly given that mailing list traffic
is generally completely unauthenticated.  It's not hard for someone to
pretend to be another participant and mail a doctored dot file to a
development team.  The deception would probably be discovered reasonably
quickly, but possibly not before damage was done.

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.