From d3d78236a7e9ae0fc731e1a9a0faf0d7d946a1d8 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Jan 25 2014 00:59:10 +0000
Subject: import graphviz-2.30.1-18.el7.src.rpm


---

diff --git a/SOURCES/graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch b/SOURCES/graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
new file mode 100644
index 0000000..67b051d
--- /dev/null
+++ b/SOURCES/graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
@@ -0,0 +1,41 @@
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index e2215d1..f41049d 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -16,6 +16,7 @@
+ %{
+ #include <grammar.h>
+ #include <cghdr.h>
++#include <agxbuf.h>
+ #include <ctype.h>
+ #define GRAPH_EOF_TOKEN		'@'		/* lex class must be defined below */
+ 	/* this is a workaround for linux flex */
+@@ -192,13 +193,22 @@ ID		({NAME}|{NUMBER})
+ %%
+ void yyerror(char *str)
+ {
++	unsigned char	xbuf[BUFSIZ];
+ 	char	buf[BUFSIZ];
+-	if (InputFile)
+-		sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num,
+-			str,line_num,yytext);
+-	else
+-		sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+-	agerr(AGWARN,buf);
++	agxbuf  xb;
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++	if (InputFile) {
++		agxbput (&xb, InputFile);
++		agxbput (&xb, ": ");
++	}
++	agxbput (&xb, str);
++	sprintf(buf," in line %d near '", line_num);
++	agxbput (&xb, buf);
++	agxbput (&xb, yytext);
++	agxbput (&xb,"'\n");
++	agerr(AGWARN,agxbuse(&xb));
++	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
+ void aglexeof() { unput(GRAPH_EOF_TOKEN); }
diff --git a/SOURCES/graphviz-2.30.1-CVE-2014-1236.patch b/SOURCES/graphviz-2.30.1-CVE-2014-1236.patch
new file mode 100644
index 0000000..ad58569
--- /dev/null
+++ b/SOURCES/graphviz-2.30.1-CVE-2014-1236.patch
@@ -0,0 +1,58 @@
+From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Wed, 8 Jan 2014 11:31:04 -0500
+Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
+
+---
+ lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 212967c..d065b61 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -129,15 +129,32 @@ static void ppDirective (void)
+  * and report this to the user.
+  */
+ static int chkNum(void) {
+-  unsigned char	c = (unsigned char)yytext[yyleng-1];   /* last character */
+-  if (!isdigit(c) && (c != '.')) {  /* c is letter */
+-	char	buf[BUFSIZ];
+-	sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
+-    strcat (buf, "splits into two name tokens\n");
+-	agerr(AGWARN,buf);
+-    return 1;
+-  }
+-  else return 0;
++    unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
++    if (!isdigit(c) && (c != '.')) {  /* c is letter */
++	unsigned char xbuf[BUFSIZ];
++	char buf[BUFSIZ];
++	agxbuf  xb;
++	char* fname;
++
++	if (InputFile)
++	    fname = InputFile;
++	else
++	    fname = "input";
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++
++	agxbput(&xb,"syntax ambiguity - badly delimited number '");
++	agxbput(&xb,yytext);
++	sprintf(buf,"' in line %d of ", line_num);
++	agxbput(&xb,buf);
++	agxbput(&xb,fname);
++	agxbput(&xb, " splits into two tokens\n");
++	agerr(AGWARN,agxbuse(&xb));
++
++	agxbfree(&xb);
++	return 1;
++    }
++    else return 0;
+ }
+ 
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
+-- 
+1.8.5.1
+
diff --git a/SPECS/graphviz.spec b/SPECS/graphviz.spec
index 60ad8ed..e30d9f6 100644
--- a/SPECS/graphviz.spec
+++ b/SPECS/graphviz.spec
@@ -48,7 +48,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.30.1
-Release:		14%{?dist}
+Release:		18%{?dist}
 Group:			Applications/Multimedia
 License:		EPL
 URL:			http://www.graphviz.org/
@@ -76,6 +76,10 @@ Patch11:		graphviz-2.30.1-man-fix.patch
 Patch12:		graphviz-2.32.0-aarch64.patch
 # Upstream bug 0002387
 Patch13:		graphviz-2.34.0-lefty-getaddrinfo.patch
+# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
+Patch14:		graphviz-2.30.1-CVE-2014-0978-CVE-2014-1235.patch
+# Fix chknum overflow (CVE-2014-1236)
+Patch15:		graphviz-2.30.1-CVE-2014-1236.patch
 BuildRoot:		%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@@ -285,6 +289,8 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch11 -p1 -b .man-fix
 %patch12 -p1 -b .aarch64
 %patch13 -p1 -b .lefty-getaddrinfo
+%patch14 -p1 -b .CVE-2014-0978-CVE-2014-1235
+%patch15 -p1 -b .CVE-2014-1236
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -573,6 +579,22 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.30.1-18
+- Mass rebuild 2014-01-24
+
+* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.30.1-17
+- Prevent possible buffer overflow in yyerror()
+  Resolves: CVE-2014-1235
+- Fix possible buffer overflow problem in chkNum of scanner
+  Resolves: CVE-2014-1236
+
+* Tue Jan  7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.30.1-16
+- Fixed overflow in yyerror
+  Resolves: CVE-2014-0978
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.30.1-15
+- Mass rebuild 2013-12-27
+
 * Thu Oct 31 2013 Jaroslav Škarvada <jskarvad@redhat.com> - 2.30.1-14
 - Removed metadata from generated PDFs
   Related: rhbz#881173