Vulnerabilities > CVE-2014-9157 - USE of Externally-Controlled Format String vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-105.NASL description Joshua Rogers discovered a format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing tools. An attacker could use this flaw to cause graphviz to crash or possibly execute arbitrary code. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82089 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82089 title Debian DLA-105-1 : graphviz security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-105-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82089); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-9157"); script_bugtraq_id(71283); script_name(english:"Debian DLA-105-1 : graphviz security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Joshua Rogers discovered a format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing tools. An attacker could use this flaw to cause graphviz to crash or possibly execute arbitrary code. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2014/12/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/graphviz" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:graphviz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:graphviz-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:graphviz-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcdt4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libcgraph5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgraph4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgraphviz-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-guile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-lua"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-ocaml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgv-tcl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgvc5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgvc5-plugins-gtk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libgvpr1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpathplan4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxdot4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"graphviz", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"graphviz-dev", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"graphviz-doc", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libcdt4", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libcgraph5", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgraph4", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgraphviz-dev", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-guile", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-lua", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-ocaml", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-perl", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-php5", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-python", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-ruby", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgv-tcl", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgvc5", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgvc5-plugins-gtk", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libgvpr1", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libpathplan4", reference:"2.26.3-5+squeeze3")) flag++; if (deb_check(release:"6.0", prefix:"libxdot4", reference:"2.26.3-5+squeeze3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-488.NASL description Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. last seen 2020-06-01 modified 2020-06-02 plugin id 81676 published 2015-03-09 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81676 title Amazon Linux AMI : graphviz-php (ALAS-2015-488) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2015-488. # include("compat.inc"); if (description) { script_id(81676); script_version("1.2"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2014-9157"); script_xref(name:"ALAS", value:"2015-488"); script_name(english:"Amazon Linux AMI : graphviz-php (ALAS-2015-488)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2015-488.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update graphviz-php' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:graphviz-php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"graphviz-php-2.38.0-18.40.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "graphviz-php"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2592.NASL description According to the version of the graphviz packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.(CVE-2014-9157) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-18 plugin id 132127 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132127 title EulerOS 2.0 SP3 : graphviz (EulerOS-SA-2019-2592) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2435-1.NASL description It was discovered that graphviz incorrectly handled parsing errors. An attacker could use this issue to cause graphviz to crash or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 79825 published 2014-12-09 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79825 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : graphviz vulnerability (USN-2435-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2355.NASL description According to the version of the graphviz packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.(CVE-2014-9157) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-10 plugin id 131847 published 2019-12-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131847 title EulerOS 2.0 SP2 : graphviz (EulerOS-SA-2019-2355) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15812.NASL description This is an update fixing format string vulnerability in cgraph. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-06 plugin id 79750 published 2014-12-06 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79750 title Fedora 20 : graphviz-2.34.0-10.fc20 (2014-15812) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-248.NASL description Updated graphviz packages fix security vulnerability : Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string (CVE-2014-9157). last seen 2020-06-01 modified 2020-06-02 plugin id 79993 published 2014-12-15 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79993 title Mandriva Linux Security Advisory : graphviz (MDVSA-2014:248) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15811.NASL description This is an update fixing format string vulnerability in cgraph. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-07 plugin id 79784 published 2014-12-07 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79784 title Fedora 19 : graphviz-2.30.1-13.fc19 (2014-15811) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-487.NASL description Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. last seen 2020-06-01 modified 2020-06-02 plugin id 81675 published 2015-03-09 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81675 title Amazon Linux AMI : graphviz (ALAS-2015-487) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-187.NASL description Updated graphviz packages fix security vulnerability : Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string (CVE-2014-9157). Additionally the gtkglarea2 and gtkglext packages were missing and was required for graphviz to build, these packages are also being provided with this advisory. last seen 2020-06-01 modified 2020-06-02 plugin id 82558 published 2015-04-03 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82558 title Mandriva Linux Security Advisory : graphviz (MDVSA-2015:187) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3098.NASL description Joshua Rogers discovered a format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing tools. An attacker could use this flaw to cause graphviz to crash or possibly execute arbitrary code. last seen 2020-03-17 modified 2014-12-15 plugin id 79885 published 2014-12-15 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79885 title Debian DSA-3098-1 : graphviz - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1341.NASL description This update for graphviz fixes the following issues : Security issue fixed : - CVE-2014-9157: Fix format string vulnerability (boo#908426). last seen 2020-06-05 modified 2017-12-14 plugin id 105231 published 2017-12-14 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105231 title openSUSE Security Update : graphviz (openSUSE-2017-1341) NASL family Fedora Local Security Checks NASL id FEDORA_2014-15760.NASL description This is an update fixing format string vulnerability in cgraph. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-07 plugin id 79782 published 2014-12-07 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79782 title Fedora 21 : graphviz-2.38.0-11.fc21 (2014-15760)
References
- http://advisories.mageia.org/MGASA-2014-0520.html
- http://seclists.org/oss-sec/2014/q4/784
- http://seclists.org/oss-sec/2014/q4/872
- http://secunia.com/advisories/60166
- http://www.debian.org/security/2014/dsa-3098
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:248
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:187
- http://www.securityfocus.com/bid/71283
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98949
- https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081