Hello community, here is the log from the commit of package gnuplot for openSUSE:Factory checked in at 2018-12-06 12:17:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnuplot (Old) and /work/SRC/openSUSE:Factory/.gnuplot.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnuplot" Thu Dec 6 12:17:36 2018 rev:71 rq:655317 version:5.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/gnuplot/gnuplot.changes 2018-10-09 15:54:49.182236365 +0200 +++ /work/SRC/openSUSE:Factory/.gnuplot.new.19453/gnuplot.changes 2018-12-06 12:17:38.141499265 +0100 @@ -1,0 +2,7 @@ +Wed Nov 28 11:35:10 UTC 2018 - Dr. Werner Fink <[email protected]> + +- Add patch gnuplot-e3cc539c.patch from upstream commit e3cc539c + Fix the bugs boo#1117463 (CVE-2018-19492), boo#1117464 (CVE-2018-19491), + and boo#1117465 (CVE-2018-19490) + +------------------------------------------------------------------- New: ---- gnuplot-e3cc539c.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnuplot.spec ++++++ --- /var/tmp/diff_new_pack.Q2BE7K/_old 2018-12-06 12:17:38.737498625 +0100 +++ /var/tmp/diff_new_pack.Q2BE7K/_new 2018-12-06 12:17:38.741498621 +0100 @@ -103,6 +103,8 @@ Patch5: gnuplot-wx3.diff Patch6: gnuplot-QtCore-PIC.dif Patch7: gnuplot-gd.patch +# PATCH-FIX-UPSTREAM upstream cimmit for boo#1117463, #1117464, and #1117465 +Patch8: gnuplot-e3cc539c.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} %if "%_exec_prefix" == "/usr/X11R6" @@ -155,6 +157,7 @@ %patch5 -p1 -b .w3x %patch6 -p0 -b .pic %patch7 -p1 -b .gd +%patch8 -p0 -b .sec %build autoreconf -fi ++++++ gnuplot-e3cc539c.patch ++++++ >From e3cc539c23ceb1640395236248f0ab5a26397557 Mon Sep 17 00:00:00 2001 From: Ethan A Merritt <[email protected]> Date: Mon, 19 Nov 2018 11:35:25 -0800 Subject: [PATCH] various overflow cases found by fuzzing Credits: Tim Blazytko Cornelius Aschermann Sergej Schumilo Nils Bars Bug 2088: term.c(strlen_tex) Bug 2089: cairo.trm metapost.trm tgif.trm (arbitrarily long font name) Bug 2092: cgm.trm overwrites trailing '\0' in default font name also context.trm emf.trm Bug 2094: also post.trm Bug 2093: datafile.c expand df_line on input as necessary to hold string data Bug 2095: eepic.trm (EEPIC_put_text) ignore request to print empty string --- src/datafile.c | 11 +++++++---- src/set.c | 4 ++-- src/term.c | 2 +- term/cairo.trm | 2 +- term/cgm.trm | 9 ++------- term/context.trm | 4 ++-- term/eepic.trm | 3 +++ term/emf.trm | 4 ++-- term/metapost.trm | 2 +- term/post.trm | 2 +- term/tgif.trm | 2 +- 11 files changed, 23 insertions(+), 22 deletions(-) --- src/datafile.c +++ src/datafile.c 2018-11-28 11:12:55.899231134 +0000 @@ -5622,10 +5622,13 @@ df_generate_ascii_array_entry() return NULL; entry = &(df_array->udv_value.v.value_array[df_array_index]); - if (entry->type == STRING) - sprintf(df_line, "%d \"%s\"", df_array_index, entry->v.string_val); - else - sprintf(df_line, "%d %g", df_array_index, real(entry)); + if (entry->type == STRING) { + while (max_line_len < strlen(entry->v.string_val)) + df_line = gp_realloc(df_line, max_line_len *= 2, "datafile line buffer"); + snprintf(df_line, max_line_len-1, "%d \"%s\"", df_array_index, entry->v.string_val); + } else { + snprintf(df_line, max_line_len-1, "%d %g", df_array_index, real(entry)); + } return df_line; } --- src/set.c +++ src/set.c 2018-11-28 11:12:55.899231134 +0000 @@ -1163,7 +1163,7 @@ set_clabel() c_token++; clabel_onecolor = FALSE; if ((new_format = try_to_get_string())) { - strncpy(contour_format, new_format, sizeof(contour_format)); + safe_strncpy(contour_format, new_format, sizeof(contour_format)); free(new_format); } } @@ -1319,7 +1319,7 @@ set_cntrlabel() char *new; c_token++; if ((new = try_to_get_string())) - strncpy(contour_format,new,sizeof(contour_format)); + safe_strncpy(contour_format,new,sizeof(contour_format)); free(new); } else if (equals(c_token, "font")) { char *ctmp; --- src/term.c +++ src/term.c 2018-11-28 11:12:55.903231061 +0000 @@ -2956,7 +2956,7 @@ strlen_tex(const char *str) switch (*s) { case '[': while (*s && *s != ']') s++; - s++; + if (*s) s++; break; case '\\': s++; --- term/cairo.trm +++ term/cairo.trm 2018-11-28 11:12:55.903231061 +0000 @@ -295,7 +295,7 @@ TERM_PUBLIC void cairotrm_options() cairo_params->fontsize = 0; } else { sep = strcspn(s,","); - if (sep > 0) { + if (0 < sep && sep < MAX_ID_LEN) { strncpy(cairo_params->fontname, s, sep); cairo_params->fontname[sep] = '\0'; } --- term/cgm.trm +++ term/cgm.trm 2018-11-28 11:12:55.903231061 +0000 @@ -473,7 +473,7 @@ CGM_options() font_index = 1; } else free(s); - strncpy(cgm_font, cgm_font_data[font_index-1].name, sizeof(cgm_font)); + safe_strncpy(cgm_font, cgm_font_data[font_index-1].name, sizeof(cgm_font)); } else { /* the user is specifying the font size */ @@ -830,12 +830,7 @@ CGM_set_font(const char *font) { char *s = cgm_font_data[font_index-1].name; - - len = strlen(s); - if (len > 31) - len = 31; - strncpy(cgm_font, s, len); - cgm_font[len] = NUL; + safe_strncpy(cgm_font, s, sizeof(cgm_font)); } /* set font size */ --- term/context.trm +++ term/context.trm 2018-11-28 11:12:55.903231061 +0000 @@ -593,7 +593,7 @@ CONTEXT_options() if ((tmp_string = try_to_get_string()) && (tmp_string != NULL)) { CONTEXT_fontstring_parse(tmp_string, tmp_font, MAX_ID_LEN+1, &tmp_fontsize); /* copies font name to parameters */ - strncpy(CONTEXT_params.font, tmp_font, sizeof(CONTEXT_params.font)); + safe_strncpy(CONTEXT_params.font, tmp_font, sizeof(CONTEXT_params.font)); tmp_font[MAX_ID_LEN] = NUL; free(tmp_string); /* save font size: @@ -1379,7 +1379,7 @@ CONTEXT_set_font(const char *font) /* saves font name & family to CONTEXT_font */ CONTEXT_fontstring_parse((char *)font, CONTEXT_font, sizeof(CONTEXT_font), &CONTEXT_fontsize_explicit); - strncpy(CONTEXT_font_explicit, CONTEXT_font, sizeof(CONTEXT_font_explicit)); + safe_strncpy(CONTEXT_font_explicit, CONTEXT_font, sizeof(CONTEXT_font_explicit)); /* valid fontsize has been provided */ if (CONTEXT_fontsize_explicit > 0.) { /* XXX: if valid */ --- term/eepic.trm +++ term/eepic.trm 2018-11-28 11:12:55.903231061 +0000 @@ -375,6 +375,9 @@ EEPIC_put_text(unsigned int x, unsigned { int i, l; + if (*str == '\0') + return; + EEPIC_endline(); fprintf(gpoutfile, "\\put(%d,%d)", x, y); --- term/emf.trm +++ term/emf.trm 2018-11-28 11:12:55.903231061 +0000 @@ -790,7 +790,7 @@ EMF_options() *comma = '\0'; } if (*s) - strncpy(emf_defaultfontname, s, sizeof(emf_defaultfontname)); + safe_strncpy(emf_defaultfontname, s, sizeof(emf_defaultfontname)); free(s); if (isanumber(c_token)) { emf_defaultfontsize = int_expression(); @@ -1865,7 +1865,7 @@ ENHemf_put_text(unsigned int x, unsigned /* set up the global variables needed by enhanced_recursion() */ enhanced_fontscale = 1.0; - strncpy(enhanced_escape_format,"&#x%2.2x;",sizeof(enhanced_escape_format)); + safe_strncpy(enhanced_escape_format,"&#x%2.2x;",sizeof(enhanced_escape_format)); ENHemf_opened_string = FALSE; ENHemf_overprint = 0; --- term/metapost.trm +++ term/metapost.trm 2018-11-28 11:12:55.903231061 +0000 @@ -320,7 +320,7 @@ MP_options() char *s; if ((s = try_to_get_string())) { int sep = strcspn(s,","); - if (sep > 0) { + if (0 < sep && sep < sizeof(MP_fontname)) { strncpy(MP_fontname, s, sizeof(MP_fontname)); MP_fontname[sep] = '\0'; } --- term/post.trm +++ term/post.trm 2018-11-28 11:14:28.889527841 +0000 @@ -1194,7 +1194,7 @@ PS_options() term->h_char = (unsigned int)(ps_fontsize*PS_SCF*5/10); else term->h_char = (unsigned int)(ps_fontsize*PS_SCF*6/10); - sprintf(PS_default_font,"%s,%g",ps_params->font,ps_fontsize); + snprintf(PS_default_font, sizeof(PS_default_font)-1, "%s, %.2g", ps_params->font, ps_fontsize); if (ps_params->terminal == PSTERM_POSTSCRIPT) { if (ps_params->first_fontfile) { --- term/tgif.trm +++ term/tgif.trm 2018-11-28 11:12:55.903231061 +0000 @@ -369,7 +369,7 @@ TGIF_options() int sep = strcspn(s,","); if (s[sep] == ',' && (1 == sscanf(&s[sep+1],"%lf",&fontsize))) uActFontSize = (int)(fontsize+0.5); - if (sep > 0) { + if (0 < sep && sep < sizeof(sActFont)) { strncpy(sActFont, s, sizeof(sActFont)); sActFont[sep] = NUL; }
