Bugzilla – Bug 1093447
VUL-1: CVE-2018-10196: graphviz: NULL derefence in rebuild_vlis
Last modified: 2024-05-08 13:19:05 UTC
Created attachment 770377 [details] Proposed pach CVE-2018-10196 Details in https://issuetracker.google.com/issues/77810342 We also still have the aborts() in our code, we should remove them too. SLE 11/12 affected. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10196 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10196.html
Fix is approved, but it is not yet pushed mainline. I'll wait until it shows up in the git repository.
There is still ongoing upstream discussion about a possible fix. https://gitlab.com/graphviz/graphviz/merge_requests/1303 Waiting for upstream confirmation about the situation.
This is an autogenerated message for OBS integration: This bug (1093447) was mentioned in https://build.opensuse.org/request/show/817045 15.1 / graphviz
Upstream did a manual merge of the fix quite some time ago, which is now back-ported to SLE-11 and later.
SUSE-SU-2020:2346-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1093447 CVE References: CVE-2018-10196 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): graphviz-addons-2.40.1-6.6.8 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): graphviz-addons-2.40.1-6.6.8 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): graphviz-2.40.1-6.6.4 SUSE Linux Enterprise High Availability 15-SP1 (src): graphviz-addons-2.40.1-6.6.8 SUSE Linux Enterprise High Availability 15 (src): graphviz-addons-2.40.1-6.6.8 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1294-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1093447 CVE References: CVE-2018-10196 JIRA References: Sources used: openSUSE Leap 15.1 (src): graphviz-2.40.1-lp151.6.6.1, graphviz-addons-2.40.1-lp151.6.6.1
openSUSE-SU-2020:1303-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1093447 CVE References: CVE-2018-10196 JIRA References: Sources used: openSUSE Leap 15.2 (src): graphviz-2.40.1-lp152.7.7.1, graphviz-addons-2.40.1-lp152.7.7.1
SUSE-SU-2020:3090-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1093447 CVE References: CVE-2018-10196 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): graphviz-2.28.0-29.3.8 SUSE Linux Enterprise Server 12-SP5 (src): graphviz-2.28.0-29.3.8, graphviz-plugins-2.28.0-29.3.17 SUSE Linux Enterprise High Availability 12-SP5 (src): graphviz-plugins-2.28.0-29.3.17 SUSE Linux Enterprise High Availability 12-SP4 (src): graphviz-plugins-2.28.0-29.3.17 SUSE Linux Enterprise High Availability 12-SP3 (src): graphviz-plugins-2.28.0-29.3.17 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14524-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1093447 CVE References: CVE-2018-10196 JIRA References: Sources used: SUSE Linux Enterprise High Availability Extension 11-SP4 (src): graphviz-plugins-2.20.2-8.3.6 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.