From: Zhang Peng <[email protected]> CVE-2025-31176: A flaw was found in gnuplot. The plot3d_points() function may lead to a segmentation fault and cause a system crash.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-31176] Upstream patches: [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/] Signed-off-by: Zhang Peng <[email protected]> --- .../gnuplot/gnuplot/CVE-2025-31176.patch | 86 +++++++++++++++++++ .../recipes-extended/gnuplot/gnuplot_5.4.3.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch new file mode 100644 index 0000000000..7fdabff476 --- /dev/null +++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch @@ -0,0 +1,86 @@ +From d0664704daa46d2e4440c0c50057d0dfa47467ea Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt <[email protected]> +Date: Tue, 11 Mar 2025 12:31:54 -0700 +Subject: [PATCH] guard against invalid read from plot->labels + +If a plot style uses points and the point chosen has PT_CHARACTER +then the program looks for a possible font in plot->labels->font. +These plot styles contain a flag bit HAS_POINT (gp_types.h). +The program makes sure to initialize plot->labels for these styles. +However a problem arises when a plot style that doesn't use points +nevertheless triggers this same attempted font lookup by using a +linetype that happens to use pointtype PT_CHARACTER. +I think this is only possible with 'splot' but I added parallel +checks for 'plot' as well. + +Bug 2776 + +CVE: CVE-2025-31176 +Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/] +Signed-off-by: Zhang Peng <[email protected]> +--- + src/boundary.c | 2 +- + src/graph3d.c | 4 ++-- + src/graphics.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/boundary.c b/src/boundary.c +index fd2ac86f4..60dbce042 100644 +--- a/src/boundary.c ++++ b/src/boundary.c +@@ -1440,7 +1440,7 @@ do_key_sample_point( + (*t->pointsize)(pointsize); + if (on_page(xl + key_point_offset, yl)) { + if (this_plot->lp_properties.p_type == PT_CHARACTER) { +- if (this_plot->labels->textcolor.type != TC_DEFAULT) ++ if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT) + apply_pm3dcolor(&(this_plot->labels->textcolor)); + (*t->put_text) (xl + key_point_offset, yl, + this_plot->lp_properties.p_char); +diff --git a/src/graph3d.c b/src/graph3d.c +index 0d3ca7221..48b02f580 100644 +--- a/src/graph3d.c ++++ b/src/graph3d.c +@@ -2016,7 +2016,7 @@ plot3d_points(struct surface_points *plot) + /* Set whatever we can that applies to every point in the loop */ + if (plot->lp_properties.p_type == PT_CHARACTER) { + ignore_enhanced(TRUE); +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (plot->labels->font); + (*t->justify_text) (CENTRE); + } +@@ -2111,7 +2111,7 @@ plot3d_points(struct surface_points *plot) + + /* Return to initial state */ + if (plot->lp_properties.p_type == PT_CHARACTER) { +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (""); + ignore_enhanced(FALSE); + } +diff --git a/src/graphics.c b/src/graphics.c +index bdbebe92a..2b500b12b 100644 +--- a/src/graphics.c ++++ b/src/graphics.c +@@ -2353,7 +2353,7 @@ plot_points(struct curve_points *plot) + /* Set whatever we can that applies to every point in the loop */ + if (plot->lp_properties.p_type == PT_CHARACTER) { + ignore_enhanced(TRUE); +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (plot->labels->font); + (*t->justify_text) (CENTRE); + } +@@ -2475,7 +2475,7 @@ plot_points(struct curve_points *plot) + + /* Return to initial state */ + if (plot->lp_properties.p_type == PT_CHARACTER) { +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (""); + ignore_enhanced(FALSE); + } +-- +2.43.0 + diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb index eff2ccc98c..18722b3641 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb @@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a file://gnuplot.desktop \ file://gnuplot.png \ file://CVE-2025-3359.patch \ + file://CVE-2025-31176.patch \ " SRC_URI:append:class-target = " \ file://0002-do-not-build-demos.patch \ -- 2.50.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#119170): https://lists.openembedded.org/g/openembedded-devel/message/119170 Mute This Topic: https://lists.openembedded.org/mt/115022655/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
