CVE-2014-9157

Graphviz - Format String

Title source: llm

Description

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.

References (10)

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2014:248

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/98949

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2015:187

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/872

[Third Party Advisory] http://advisories.mageia.org/MGASA-2014-0520.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/71283

[Exploit, Third Party Advisory] https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3098

[Broken Link] http://secunia.com/advisories/60166

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/784

Scores

EPSS 0.0190

EPSS Percentile 83.3%

Details

CWE

CWE-134

Status published

Products (3)

debian/debian_linux 7.0

debian/debian_linux 8.0

graphviz/graphviz < 2.42.4

Published Dec 03, 2014

Tracked Since Feb 18, 2026