From https://lists.debian.org/debian-qa-packages/2014/12/msg00048.html , which seems to come from Ubuntu. Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 Author: Emden R. Gansner --- lib/cgraph/scan.l | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: b/lib/cgraph/scan.l =================================================================== --- a/lib/cgraph/scan.l +++ b/lib/cgraph/scan.l @@ -225,7 +225,7 @@ agxbput (&xb, buf); agxbput (&xb, yytext); agxbput (&xb,"'\n"); - agerr(AGERR,agxbuse(&xb)); + agerr(AGERR, "%s", agxbuse(&xb)); agxbfree(&xb); } /* must be here to see flex's macro defns */