Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 623204 (CVE-2017-9670)

Summary: <sci-visualization/gnuplot-5.2.2: Uninitialized stack variable in load_tic_series()
Product: Gentoo Security Reporter: Volkan <vBugZilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: junghans, sci, ulm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1462135
Whiteboard: B3 [stable? cve]
Package list:
Runtime testing required: ---

Description Volkan 2017-06-30 21:38:19 UTC 
An uninitialized stack variable vulnerability in load_tic_series() in set.c in gnuplot 5.2.rc1 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact when a victim opens a specially crafted file.

Upstream bug:

https://sourceforge.net/p/gnuplot/bugs/1933/
Comment 1 Christoph Junghans (RETIRED) gentoo-dev 2017-06-30 21:50:21 UTC 
It seems gnuplot-5.2.rc1 was never added to gx86.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 00:09:41 UTC 
@Maintainers, 5.2 was released in September, could you please confirm if the fix is available?

Thank you
Comment 3 Ulrich Müller gentoo-dev 2017-11-19 17:23:24 UTC 
I have just committed sci-visualization/gnuplot-5.2.2 and I have verified that it contains the fix attached to the upstream bug:
https://sourceforge.net/p/gnuplot/bugs/1933/


(In reply to Christoph Junghans from comment #1)
> It seems gnuplot-5.2.rc1 was never added to gx86.

Right, and the 5.0 series did not yet support the "set ttics" command. The only version that was affected was the live ebuild (5.1.9999) which never had any keywords (and is gone by now).