829855 – (CVE-2021-44917) <sci-visualization/gnuplot-5.4.3: divide by zero vulnerability

Bug 829855 (CVE-2021-44917) - <sci-visualization/gnuplot-5.4.3: divide by zero vulnerability

Summary: <sci-visualization/gnuplot-5.4.3: divide by zero vulnerability

Status:	IN_PROGRESS

Alias:	CVE-2021-44917

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://sourceforge.net/p/gnuplot/bug...
Whiteboard:	B3 [glsa?]
Keywords:	UPSTREAM

Depends on:
Blocks:

Reported:	2021-12-23 08:39 UTC by John Helmert III
Modified:	2022-07-28 17:40 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-12-23 08:39:56 UTC

CVE-2021-44917:

A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d function in graph3d.c, which could cause a Arithmetic exception and application crash.

URL says this is patched but can't tell if it's made it into a release yet.

Comment 1 Ulrich Müller gentoo-dev

2021-12-23 12:29:11 UTC

I wonder why this would be labelled as a security vulnerability? It is simply a bug.

Gnuplot is a Turing complete language and the user is not supposed to execute scripts of unknown origin.

(In reply to John Helmert III from comment #0)
> URL says this is patched but can't tell if it's made it into a release yet.

Yeah, this will be fixed after the next upstream release. Backporting the patch doesn't make much sense for a problem that has no practical relevance (it is triggered when setting character size to zero and font size to infinity.)

Comment 2 Ulrich Müller gentoo-dev

2022-07-28 17:40:51 UTC

Fixed upstream in gnuplot-5.4.3.

This version is already stable, and older versions have been dropped.