{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-07T00:00:00", "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "MDVSA-2014:024", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "64674", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64674"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, {"name": "GLSA-201702-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201702-06"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a"}, {"name": "graphviz-yyerror-bo(90085)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90085"}, {"name": "[oss-security] 20140107 CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/28"}, {"name": "DSA-2843", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2843"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=497274"}, {"name": "[oss-security] 20140107 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/38"}, {"name": "55666", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56244"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-0978", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "MDVSA-2014:024", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "64674", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64674"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, {"name": "GLSA-201702-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201702-06"}, {"name": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a", "refsource": "CONFIRM", "url": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a"}, {"name": "graphviz-yyerror-bo(90085)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90085"}, {"name": "[oss-security] 20140107 CVE Request: graphviz: stack-based buffer overflow in yyerror()", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/28"}, {"name": "DSA-2843", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=497274", "refsource": "MISC", "url": "https://bugs.gentoo.org/show_bug.cgi?id=497274"}, {"name": "[oss-security] 20140107 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/38"}, {"name": "55666", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56244"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:34:40.951Z"}, "title": "CVE Program Container", "references": [{"name": "MDVSA-2014:024", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "64674", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/64674"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, {"name": "GLSA-201702-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201702-06"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a"}, {"name": "graphviz-yyerror-bo(90085)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90085"}, {"name": "[oss-security] 20140107 CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/28"}, {"name": "DSA-2843", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2843"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=497274"}, {"name": "[oss-security] 20140107 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/38"}, {"name": "55666", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/56244"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-0978", "datePublished": "2014-01-10T17:00:00", "dateReserved": "2014-01-07T00:00:00", "dateUpdated": "2024-08-06T09:34:40.951Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:graphviz:graphviz:2.34.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC614024-7FE5-4798-997B-84ACA06CD48B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file."}, {"lang": "es", "value": "Desbordamientos de pila en la funci\u00f3n yyerror de lib/cgraph/scan.l en Graphviz 2.34.0 permite a atacantes remotos tener un impacto no especificado a trav\u00e9s de una l\u00ednea larga en un archivo dot."}], "id": "CVE-2014-0978", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-01-10T17:55:03.237", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/28"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/38"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55666"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/56244"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/64674"}, {"source": "cve@mitre.org", "url": "https://bugs.gentoo.org/show_bug.cgi?id=497274"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90085"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201702-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q1/28"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q1/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55666"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/56244"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/64674"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.gentoo.org/show_bug.cgi?id=497274"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90085"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201702-06"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "graphviz: stack-based buffer overflow in yyerror()", "id": "1049165", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1049165"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-121", "details": ["Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file."], "name": "CVE-2014-0978", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "graphviz", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "graphviz", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2014-01-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0978\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0978"], "statement": "This issue affects the versions of the graphviz package as shipped with Red Hat Enterprise Linux 6. Red Hat Product Security has rated this issue as having Low security impact and therefore it is not planned to be addressed in future updates.\nThis issue did not affect the versions of the graphviz package as shipped with Red Hat Enterprise Linux 7.", "threat_severity": "Low"}