Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
graphviz to version 2.38.0-17+deb9u1 or higher.