graphviz: fix CVE-2023-46045

Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a
crafted config6a file. NOTE: exploitability may be uncommon
because this file is typically owned by root.

CVE-2023-46045-0003.patch is the CVE fix and CVE-2023-46045-0001.patch,
CVE-2023-46045-0002.patch are dependent commits to fix the CVE.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-46045

Upstream patches:
361f274ca9
3f31704caf
a95f977f5d

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0001.patch

@@ -0,0 +1,37 @@
+From 361f274ca901c3c476697a6404662d95f4dd43cb Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 13:19:03 +0800
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope
+ 'gv_api'
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index d03de09..2f31b98 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -174,7 +174,6 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+     char *package_path, *name, *api;
+     const char *type;
+-    api_t gv_api;
+     int quality;
+     int nest = 0;
+     gvplugin_package_t *package;
+@@ -189,7 +188,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+         package = gvplugin_package_record(gvc, package_path, name);
+	do {
+	    api = token(&nest, &s);
+-	    gv_api = gvplugin_api(api);
++	    const api_t gv_api = gvplugin_api(api);
+	    do {
+		if (nest == 2) {
+		    type = token(&nest, &s);
+--
+2.25.1

meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0002.patch

@@ -0,0 +1,38 @@
+From 3f31704cafd7da3e86bb2861accf5e90c973e62a Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 13:39:39 +0800
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope
+ 'api'
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 2f31b98..ea0d81b 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -172,7 +172,7 @@ static char *token(int *nest, char **tokens)
+
+ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+-    char *package_path, *name, *api;
++    char *package_path, *name;
+     const char *type;
+     int quality;
+     int nest = 0;
+@@ -187,7 +187,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+	    name = "x";
+         package = gvplugin_package_record(gvc, package_path, name);
+	do {
+-	    api = token(&nest, &s);
++	    const char *api = token(&nest, &s);
+	    const api_t gv_api = gvplugin_api(api);
+	    do {
+		if (nest == 2) {
+--
+2.25.1

meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0003.patch

@@ -0,0 +1,33 @@
+From a95f977f5d809915ec4b14836d2b5b7f5e74881e Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 15:02:06 +0800
+Subject: [PATCH] gvc: detect plugin installation failure and display an error
+
+Gitlab: fixes #2441
+Reported-by: GJDuck
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index ea0d81b..1eccc70 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -189,6 +189,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+	do {
+	    const char *api = token(&nest, &s);
+	    const api_t gv_api = gvplugin_api(api);
++	    if (gv_api == (api_t)-1) {
++		agerr(AGERR, "config error: %s %s not found\n", package_path, api);
++		return 0;
++	    }
+	    do {
+		if (nest == 2) {
+		    type = token(&nest, &s);
+--
+2.25.1

meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb

@@ -20,6 +20,9 @@ inherit autotools-brokensep pkgconfig gettext qemu
 
 SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \
            file://0001-Autotools-fix-do-not-put-prefix-based-paths-in-compi.patch \
+           file://CVE-2023-46045-0001.patch \
+           file://CVE-2023-46045-0002.patch \
+           file://CVE-2023-46045-0003.patch \
            "
 # Use native mkdefs
 SRC_URI:append:class-target = "\