Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829855 (CVE-2021-44917) - sci-visualization/gnuplot: divide by zero vulnerability
Summary: sci-visualization/gnuplot: divide by zero vulnerability
Status: IN_PROGRESS
Alias: CVE-2021-44917
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/gnuplot/bug...
Whiteboard: B3 [ebuild]
Keywords: UPSTREAM
Depends on:
Blocks:
 
Reported: 2021-12-23 08:39 UTC by John Helmert III
Modified: 2021-12-23 12:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-12-23 08:39:56 UTC
CVE-2021-44917:

A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d function in graph3d.c, which could cause a Arithmetic exception and application crash.

URL says this is patched but can't tell if it's made it into a release yet.
Comment 1 Ulrich Müller gentoo-dev 2021-12-23 12:29:11 UTC
I wonder why this would be labelled as a security vulnerability? It is simply a bug.

Gnuplot is a Turing complete language and the user is not supposed to execute scripts of unknown origin.

(In reply to John Helmert III from comment #0)
> URL says this is patched but can't tell if it's made it into a release yet.

Yeah, this will be fixed after the next upstream release. Backporting the patch doesn't make much sense for a problem that has no practical relevance (it is triggered when setting character size to zero and font size to infinity.)