Arch Linux Security Advisory ASA-201412-4 ========================================= Severity: Medium Date : 2014-12-03 CVE-ID : CVE-2014-9157 Package : graphviz Type : format string vulnerability Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package graphviz before version 2.38.0-3 is vulnerable to a format string vulnerability. Resolution ========== Upgrade to 2.38.0-3. # pacman -Syu "graphviz>=2.38.0-3" The problem has been fixed upstream, but there has been no release including the fix yet. Workaround ========== None. Description =========== A format string vulnerability has been found in the error reporting part of the parser used by graphviz. Impact ====== An attacker might be able to execute arbitrary code by supplying a specially crafted file to graphviz. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9157 http://seclists.org/oss-sec/2014/q4/872 https://bugs.archlinux.org/task/42983 https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41...