CVE-2020-18032

NameCVE-2020-18032
DescriptionBuffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2659-1, DSA-4914-1
Debian Bugs988000

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
graphviz (PTS)buster, buster (security)2.40.1-6+deb10u1fixed
bullseye2.42.2-5fixed
bookworm2.42.2-7fixed
trixie2.42.2-8fixed
sid2.42.2-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
graphvizsourcestretch2.38.0-17+deb9u1DLA-2659-1
graphvizsourcebuster2.40.1-6+deb10u1DSA-4914-1
graphvizsource(unstable)2.42.2-5988000

Notes

https://gitlab.com/graphviz/graphviz/-/issues/1700
https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
Search for package or bug name: Reporting problems