Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829855 (CVE-2021-44917) - <sci-visualization/gnuplot-5.4.3: divide by zero vulnerability
Summary: <sci-visualization/gnuplot-5.4.3: divide by zero vulnerability
Alias: CVE-2021-44917
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Keywords: UPSTREAM
Depends on:
Reported: 2021-12-23 08:39 UTC by John Helmert III
Modified: 2022-07-28 17:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-23 08:39:56 UTC

A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d function in graph3d.c, which could cause a Arithmetic exception and application crash.

URL says this is patched but can't tell if it's made it into a release yet.
Comment 1 Ulrich Müller gentoo-dev 2021-12-23 12:29:11 UTC
I wonder why this would be labelled as a security vulnerability? It is simply a bug.

Gnuplot is a Turing complete language and the user is not supposed to execute scripts of unknown origin.

(In reply to John Helmert III from comment #0)
> URL says this is patched but can't tell if it's made it into a release yet.

Yeah, this will be fixed after the next upstream release. Backporting the patch doesn't make much sense for a problem that has no practical relevance (it is triggered when setting character size to zero and font size to infinity.)
Comment 2 Ulrich Müller gentoo-dev 2022-07-28 17:40:51 UTC
Fixed upstream in gnuplot-5.4.3.

This version is already stable, and older versions have been dropped.