Comment 1 John Helmert III 2020-10-04 03:46:06 UTC

CVE-2020-25559 is what's described in my previous comment. I was able to verify that affects our 5.2.8 in tree, but I can't reproduce this one without a reproducer:

CVE-2020-25412 (https://sourceforge.net/p/gnuplot/bugs/2303/):

com_line() in command.c in gnuplot 5.4 leads to an out-of-bounds-write from strncpy() that may lead to arbitrary code execution.

Comment 2 Ulrich Müller 2020-10-04 07:15:13 UTC

So, should we bump to 5.4.0, or wait for a new upstream release?

Comment 3 John Helmert III 2020-10-04 13:47:53 UTC

Sorry, we should wait for an upstream release or apply the relevant patches (I assume they've been fixed, given upstream closed the bugs). I'm unfamiliar with their release cycle so I'd leave that up to maintainers, whether adding patches would be more efficient.

Comment 4 Sam James 2020-12-16 06:15:01 UTC

Please bump to 5.4.1.

Comment 5 Larry the Git Cow 2020-12-16 09:03:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7fe851fe3634cd5485acf66107f8646bcaf0dcd

commit c7fe851fe3634cd5485acf66107f8646bcaf0dcd
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2020-12-16 08:41:13 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2020-12-16 08:47:10 +0000

    sci-visualization/gnuplot: Backport security fixes to version 5.2.8.
    
    Bug: https://bugs.gentoo.org/746419
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 .../gnuplot/files/gnuplot-5.2.8-double-free.patch  |  21 ++
 .../gnuplot/files/gnuplot-5.2.8-font-syntax.patch  |  36 ++++
 sci-visualization/gnuplot/gnuplot-5.2.8-r1.ebuild  | 217 +++++++++++++++++++++
 3 files changed, 274 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b73fa5365062544e6ea588ec741d62a2e7ccec86

commit b73fa5365062544e6ea588ec741d62a2e7ccec86
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2020-12-16 08:39:33 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2020-12-16 08:41:50 +0000

    sci-visualization/gnuplot: Version bump to 5.4.1.
    
    Bug: https://bugs.gentoo.org/746419
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 sci-visualization/gnuplot/Manifest                |   1 +
 sci-visualization/gnuplot/gnuplot-5.4.1-r1.ebuild | 210 ++++++++++++++++++++++
 sci-visualization/gnuplot/gnuplot-5.4.1.ebuild    | 203 +++++++++++++++++++++
 3 files changed, 414 insertions(+)

Comment 6 Ulrich Müller 2020-12-16 09:07:59 UTC

(In reply to Sam James from comment #4)
> Please bump to 5.4.1.

Bumped to 5.4.1 and backported both fixes to 5.2.8-r1.

I'd prefer stabilising 5.2.8-r1 for now, and wait with 5.4.1 until transition to slotted lua is complete.

Comment 7 Sam James 2020-12-16 09:10:39 UTC

(In reply to Ulrich Müller from comment #6)
> (In reply to Sam James from comment #4)
> > Please bump to 5.4.1.
> 
> Bumped to 5.4.1 and backported both fixes to 5.2.8-r1.
> 
> I'd prefer stabilising 5.2.8-r1 for now, and wait with 5.4.1 until
> transition to slotted lua is complete.

That's completely reasonable. Add CC-ARCHES when you're ready / let us know, but ideally within a few days.

Comment 8 Sam James 2020-12-16 15:17:23 UTC

amd64 done

Comment 9 Sam James 2020-12-17 00:47:47 UTC

ppc done

Comment 10 Sam James 2020-12-17 08:01:58 UTC

arm done

Comment 11 Sam James 2020-12-17 12:47:44 UTC

arm64 done

Comment 12 Sergei Trofimovich (RETIRED) 2020-12-18 10:40:42 UTC

ppc64 stable

Comment 13 Thomas Deutschmann (RETIRED) 2020-12-20 16:41:07 UTC

x86 stable

Comment 14 Sergei Trofimovich (RETIRED) 2020-12-22 20:04:22 UTC

sparc stable

Comment 15 John Helmert III 2020-12-22 20:14:54 UTC

All arches done, please cleanup.

Comment 16 Larry the Git Cow 2020-12-23 11:09:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdf3652cd3166e4c6770ca87f89343ee7f16fc2f

commit fdf3652cd3166e4c6770ca87f89343ee7f16fc2f
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2020-12-23 11:09:25 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2020-12-23 11:09:25 +0000

    sci-visualization/gnuplot: Remove old.
    
    Bug: https://bugs.gentoo.org/746419
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 sci-visualization/gnuplot/Manifest                 |   1 -
 .../gnuplot/files/gnuplot-5.4.0-caca.patch         |  46 -----
 .../gnuplot/files/gnuplot-5.4.0-no-mouse.patch     |  27 ---
 .../gnuplot/files/gnuplot-5.4.0-pkg-config.patch   |  40 ----
 sci-visualization/gnuplot/gnuplot-5.2.8.ebuild     | 215 ---------------------
 .../gnuplot/gnuplot-5.4.0-r100.ebuild              | 213 --------------------
 sci-visualization/gnuplot/gnuplot-5.4.0-r2.ebuild  | 206 --------------------
 7 files changed, 748 deletions(-)

Comment 17 Thomas Deutschmann (RETIRED) 2020-12-23 16:15:07 UTC

GLSA Vote: No

GnuPlot files can execute arbitrary commands by design and should only be processed from trusted sources.

Repository is clean, all done!