From: Zhang Peng <peng.zhang1...@windriver.com> CVE-2025-3359: A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal may jeopardize the environment.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-3359] Upstream patches: [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/] Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com> --- .../gnuplot/gnuplot/CVE-2025-3359.patch | 67 +++++++++++++++++++ .../recipes-extended/gnuplot/gnuplot_5.4.3.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch new file mode 100644 index 0000000000..d2de00ec6d --- /dev/null +++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch @@ -0,0 +1,67 @@ +From 997b4ee68275664b94e0c881ace5121d79c0c29c Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt <merr...@u.washington.edu> +Date: Tue, 25 Mar 2025 22:51:54 -0700 +Subject: [PATCH] hpgl: font name parsing overruns the string by one char + +if no comma is present in the font name. +E.g. + set term pcl + set title "Title" font "sans" # no comma in font name + plot x + +Bug 2781 + +CVE: CVE-2025-3359 +Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/] +Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com> +--- + term/hpgl.trm | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +diff --git a/term/hpgl.trm b/term/hpgl.trm +index 04088977d..fdb4c7083 100644 +--- a/term/hpgl.trm ++++ b/term/hpgl.trm +@@ -1650,28 +1650,22 @@ TERM_PUBLIC int + HPGL2_set_font(const char *font) + { + char name[MAX_ID_LEN + 1]; +- int sep; +- int int_size; +- double size; ++ char *sep; ++ double size = HPGL2_point_size; + + if (font == NULL) + font = ""; + +- sep = strcspn(font, ","); +- strncpy(name, font, sizeof(name)); +- +- if (sep < sizeof(name)) +- name[sep] = NUL; +- +-/* determine font size, use default from options if invalid */ +- int_size = 0; +- /* FIXME: use strtod instead */ +- sscanf(&(font[sep + 1]), "%d", &int_size); +- if (int_size > 0) +- size = int_size; +- else +- size = HPGL2_point_size; ++ safe_strncpy(name, font, sizeof(name)); + ++ /* determine font size, use default from options if invalid */ ++ sep = strchr(font, ','); ++ if (sep) { ++ double req_size = strtod(sep+1, NULL); ++ if (req_size > 0) ++ size = req_size; ++ *sep = '\0'; ++ } + return HPGL2_set_font_size(name, size); + } + +-- +2.43.0 + diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb index fe5e5c067d..eff2ccc98c 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb @@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a http://www.mneuroth.de/privat/zaurus/qtplot-0.2.tar.gz;name=qtplot \ file://gnuplot.desktop \ file://gnuplot.png \ + file://CVE-2025-3359.patch \ " SRC_URI:append:class-target = " \ file://0002-do-not-build-demos.patch \ -- 2.50.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#119169): https://lists.openembedded.org/g/openembedded-devel/message/119169 Mute This Topic: https://lists.openembedded.org/mt/115022654/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
