More specifically, this issue is an out-of-bounds read.
AFAICT the issue was actually introduced in Graphviz 2.36. It was fixed
in commit a95f977f5d809915ec4b14836d2b5b7f5e74881e (essentially
reverting cf95714837f06f684929b54659523c2c9b1fc19f that introduced the
issue), but there has been no release yet since then. The next release
will be 10.0.0. So affected versions would be [2.36, 10.0.0).
In regards to your recent FD posts, are you requesting CVEs based on the
presence of strings in commit messages such as “null pointer dereference”?
Are you reaching out to each upstream project before assigning a CVE? Do
you believe that every null pointer bug is a vulnerability? What impact
are you hoping to achieve?
In your recent mass posts to FD, are you reporting vulnerabilities or
bug reports which have words like “segfault” in the title? What benefit
do you see this having? Have you spoken to each upstream project before
requesting a CVE be assigned?
I will be asking that this CVE be withdrawn on behalf of the X.Org security team.
While it is a low-priority bug, we did not see any security exposure
when this bug was first brought to our attention because there is no
way for an attacker to change the contents of the lisp.lsp file or to
cause a *.lsp file to be loaded for another user.
The bug report states “replace /usr/local/lib/X11/xedit/lisp/lisp.lsp with
the attached version,”…