Your message dated Fri, 16 Jun 2017 21:04:01 +0000
with message-id <[email protected]>
and subject line Bug#864901: fixed in gnuplot 5.0.5+dfsg1-7
has caused the Debian Bug report #864901,
regarding gnuplot: CVE-2017-9670: uninitialized stack variable vulnerability
could lead to a Denial of Service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864901: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnuplot
Version: 5.0.5+dfsg1-6
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/gnuplot/bugs/1933/
Hi,
the following vulnerability was published for gnuplot.
CVE-2017-9670[0]:
| An uninitialized stack variable vulnerability in load_tic_series() in
| set.c in gnuplot 5.2.rc1 allows an attacker to cause Denial of Service
| (Segmentation fault and Memory Corruption) or possibly have unspecified
| other impact when a victim opens a specially crafted file.
AFAICT, it has been introduced with [2], as per [3], and fixed in [4].
Please double check and adjust the affected versions in the BTS as
needed if I got it actually wrong and older versions are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9670
[1] https://sourceforge.net/p/gnuplot/bugs/1933/
[2]
https://github.com/gnuplot/gnuplot/commit/cd4b777389379598740fc02decff772b0e7bcbd6
[3] https://bugzilla.novell.com/show_bug.cgi?id=1044638#c5
[4]
https://github.com/gnuplot/gnuplot/commit/4e39b1d7b274c7d4a69cbaba85ff321264f4457e
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnuplot
Source-Version: 5.0.5+dfsg1-7
We believe that the bug you reported is fixed in the latest version of
gnuplot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <[email protected]> (supplier of updated gnuplot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 16 Jun 2017 22:35:29 +0200
Source: gnuplot
Binary: gnuplot gnuplot-doc gnuplot-nox gnuplot-qt gnuplot-x11 gnuplot-data
gnuplot5 gnuplot5-nox gnuplot5-x11 gnuplot5-qt
Architecture: source
Version: 5.0.5+dfsg1-7
Distribution: unstable
Urgency: high
Maintainer: Debian Science Team
<[email protected]>
Changed-By: Anton Gladky <[email protected]>
Description:
gnuplot - Command-line driven interactive plotting program, version 5
gnuplot-data - Command-line driven interactive plotting program. Data-files
gnuplot-doc - Command-line driven interactive plotting program. Doc-package
gnuplot-nox - Command-line driven interactive plotting program. No-X package
gnuplot-qt - Command-line driven interactive plotting program. QT-package
gnuplot-x11 - Command-line driven interactive plotting program. X-package
gnuplot5 - transitional package
gnuplot5-nox - transitional package
gnuplot5-qt - transitional package
gnuplot5-x11 - transitional package
Closes: 864901
Changes:
gnuplot (5.0.5+dfsg1-7) unstable; urgency=high
.
* [02931b6] Fix memory corruption vulnerability. CVE-2017-9670.
(Closes: #864901)
Checksums-Sha1:
a2f025e398dc740ae4e89c3263669a1b127cd516 2948 gnuplot_5.0.5+dfsg1-7.dsc
e4f6b409581ca0db6febedbca5e6c7725e50c6eb 29000
gnuplot_5.0.5+dfsg1-7.debian.tar.xz
ff980a4a8c969257017e5f49110995e2df247278 17867
gnuplot_5.0.5+dfsg1-7_source.buildinfo
Checksums-Sha256:
57fe8900fbff81d5a9fe792261bd0be7e95788483378636dfa0e32efdf0330fb 2948
gnuplot_5.0.5+dfsg1-7.dsc
4cbd45d35c3bb61cd927b1e3b5270748343743b8c84a8589976ac7c4d6770e45 29000
gnuplot_5.0.5+dfsg1-7.debian.tar.xz
91c2ed5ff82cb2655c24ae230585512b3b7c1c794e19b69139208390c8c75a18 17867
gnuplot_5.0.5+dfsg1-7_source.buildinfo
Files:
557a18f707c56438d1b949069b1f8f61 2948 math optional gnuplot_5.0.5+dfsg1-7.dsc
6162f29bd6e6f81659643a5bf138e8d5 29000 math optional
gnuplot_5.0.5+dfsg1-7.debian.tar.xz
f09ac66056767b72eb19ab512d7c61c3 17867 math optional
gnuplot_5.0.5+dfsg1-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAllEQVwACgkQ0+Fzg8+n
/wZIGg/+LRCKgDtN8Yy9oTN6ZRVP/NnLkQGTG7/uSUVPZfGBe84/OvzbOicOlu6U
1gmh5PVKcEAGBc0lFDmszh6b7PhbqcwyAmX0higIJ/mvFeYzn3NZ5WiOY55AjmkH
rmwKpNh7Up4rJLCHikSUce0m+kTPmwlDVDhoDGORa0onbp9ZQ+JL0/QSrNVtHhJz
LSoNEbYpvM05gbQQedljxc68B4vVeZqpTYkrEsDrHOjbBCvg4XlcE2V9rdBgkGc3
WiFzNHX3q3vYDwXld2xKYJZQh1msFLFjCLDP+sic18/7leAYgiKfTriXskWDNOj4
KA52S8KHFLEokt7xgfk6cUZ2G3YFESiJWO/GqIj6yYOaXK3ltESbOLEONXJL00MV
QEo9co0gCtYLWyIaSsLrHm85bc/7slAd3DKT0M+hiBABMXQKP8R18Q6S4jmkLHap
Wo6Sc7xw0seOEEhFFFh9DGyu6SzrViSupbW3iYLp8Q/FGFfJFciZXDOrkaDAV3Lf
pZcakcia2zJk8vO4M4Dyz3ozckmY/x6xTLkraeiG2F0lrI9nRvRGkF2lWNXyWIx/
V/lIq1e3ljq7RNARiUAcnY4esoCDFT2dVK/NJ/5/JYtRVhP02VY85U5mQt/WdCKC
/Js5wnwIoiwlOtuXEjVPV5/trCQ4lyPjFJJuusSpym5o+l5WciQ=
=65W1
-----END PGP SIGNATURE-----
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers
