CVE-2019-9904
Publication date 21 March 2019
Last updated 24 July 2024
Ubuntu priority
An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| graphviz | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
iconstantin
No clear fix identified by upstream as of 2022-01-27
ccdm94
according to upstream in a comment in issue 1512, the PoC does not reproduce in Linux starting with version 2.46.0. A new reproducer was requested, but no answer has been provided to this request, and the issue was closed without an explicit patch being provided.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |