gnuplot 5.5 is affected by double free when executing print_set_output. This may result in context-dependent arbitrary code execution.
CVE-2020-25559 is what's described in my previous comment. I was able to verify that affects our 5.2.8 in tree, but I can't reproduce this one without a reproducer: CVE-2020-25412 (https://sourceforge.net/p/gnuplot/bugs/2303/): com_line() in command.c in gnuplot 5.4 leads to an out-of-bounds-write from strncpy() that may lead to arbitrary code execution.
So, should we bump to 5.4.0, or wait for a new upstream release?
Sorry, we should wait for an upstream release or apply the relevant patches (I assume they've been fixed, given upstream closed the bugs). I'm unfamiliar with their release cycle so I'd leave that up to maintainers, whether adding patches would be more efficient.
Please bump to 5.4.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7fe851fe3634cd5485acf66107f8646bcaf0dcd commit c7fe851fe3634cd5485acf66107f8646bcaf0dcd Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2020-12-16 08:41:13 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2020-12-16 08:47:10 +0000 sci-visualization/gnuplot: Backport security fixes to version 5.2.8. Bug: https://bugs.gentoo.org/746419 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Ulrich Müller <ulm@gentoo.org> .../gnuplot/files/gnuplot-5.2.8-double-free.patch | 21 ++ .../gnuplot/files/gnuplot-5.2.8-font-syntax.patch | 36 ++++ sci-visualization/gnuplot/gnuplot-5.2.8-r1.ebuild | 217 +++++++++++++++++++++ 3 files changed, 274 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b73fa5365062544e6ea588ec741d62a2e7ccec86 commit b73fa5365062544e6ea588ec741d62a2e7ccec86 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2020-12-16 08:39:33 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2020-12-16 08:41:50 +0000 sci-visualization/gnuplot: Version bump to 5.4.1. Bug: https://bugs.gentoo.org/746419 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Ulrich Müller <ulm@gentoo.org> sci-visualization/gnuplot/Manifest | 1 + sci-visualization/gnuplot/gnuplot-5.4.1-r1.ebuild | 210 ++++++++++++++++++++++ sci-visualization/gnuplot/gnuplot-5.4.1.ebuild | 203 +++++++++++++++++++++ 3 files changed, 414 insertions(+)
(In reply to Sam James from comment #4) > Please bump to 5.4.1. Bumped to 5.4.1 and backported both fixes to 5.2.8-r1. I'd prefer stabilising 5.2.8-r1 for now, and wait with 5.4.1 until transition to slotted lua is complete.
(In reply to Ulrich Müller from comment #6) > (In reply to Sam James from comment #4) > > Please bump to 5.4.1. > > Bumped to 5.4.1 and backported both fixes to 5.2.8-r1. > > I'd prefer stabilising 5.2.8-r1 for now, and wait with 5.4.1 until > transition to slotted lua is complete. That's completely reasonable. Add CC-ARCHES when you're ready / let us know, but ideally within a few days.
amd64 done
ppc done
arm done
arm64 done
ppc64 stable
x86 stable
sparc stable
All arches done, please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdf3652cd3166e4c6770ca87f89343ee7f16fc2f commit fdf3652cd3166e4c6770ca87f89343ee7f16fc2f Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2020-12-23 11:09:25 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2020-12-23 11:09:25 +0000 sci-visualization/gnuplot: Remove old. Bug: https://bugs.gentoo.org/746419 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Ulrich Müller <ulm@gentoo.org> sci-visualization/gnuplot/Manifest | 1 - .../gnuplot/files/gnuplot-5.4.0-caca.patch | 46 ----- .../gnuplot/files/gnuplot-5.4.0-no-mouse.patch | 27 --- .../gnuplot/files/gnuplot-5.4.0-pkg-config.patch | 40 ---- sci-visualization/gnuplot/gnuplot-5.2.8.ebuild | 215 --------------------- .../gnuplot/gnuplot-5.4.0-r100.ebuild | 213 -------------------- sci-visualization/gnuplot/gnuplot-5.4.0-r2.ebuild | 206 -------------------- 7 files changed, 748 deletions(-)
GLSA Vote: No GnuPlot files can execute arbitrary commands by design and should only be processed from trusted sources. Repository is clean, all done!