CVE-2019-9904
Publication date 21 March 2019
Last updated 11 July 2025
Ubuntu priority
Description
An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| graphviz | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Ignored end of standard support, was needs-triage | |
| 18.04 LTS bionic | Ignored end of standard support, was needs-triage | |
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Notes
iconstantin
No clear fix identified by upstream as of 2022-01-27
ccdm94
according to upstream in a comment in issue 1512, the PoC does not reproduce in Linux starting with version 2.46.0. A new reproducer was requested, but no answer has been provided to this request, and the issue was closed without an explicit patch being provided.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |