diff --git a/gnuplot-e3cc539c.patch b/gnuplot-e3cc539c.patch new file mode 100644 index 0000000..1b5a7ef --- /dev/null +++ b/gnuplot-e3cc539c.patch @@ -0,0 +1,204 @@ +From e3cc539c23ceb1640395236248f0ab5a26397557 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Mon, 19 Nov 2018 11:35:25 -0800 +Subject: [PATCH] various overflow cases found by fuzzing + +Credits: + Tim Blazytko + Cornelius Aschermann + Sergej Schumilo + Nils Bars + +Bug 2088: term.c(strlen_tex) +Bug 2089: cairo.trm metapost.trm tgif.trm (arbitrarily long font name) +Bug 2092: cgm.trm overwrites trailing '\0' in default font name + also context.trm emf.trm +Bug 2094: also post.trm +Bug 2093: datafile.c expand df_line on input as necessary to hold string data +Bug 2095: eepic.trm (EEPIC_put_text) ignore request to print empty string +--- + src/datafile.c | 11 +++++++---- + src/set.c | 4 ++-- + src/term.c | 2 +- + term/cairo.trm | 2 +- + term/cgm.trm | 9 ++------- + term/context.trm | 4 ++-- + term/eepic.trm | 3 +++ + term/emf.trm | 4 ++-- + term/metapost.trm | 2 +- + term/post.trm | 2 +- + term/tgif.trm | 2 +- + 11 files changed, 23 insertions(+), 22 deletions(-) + +--- src/datafile.c ++++ src/datafile.c 2018-11-28 11:12:55.899231134 +0000 +@@ -5622,10 +5622,13 @@ df_generate_ascii_array_entry() + return NULL; + + entry = &(df_array->udv_value.v.value_array[df_array_index]); +- if (entry->type == STRING) +- sprintf(df_line, "%d \"%s\"", df_array_index, entry->v.string_val); +- else +- sprintf(df_line, "%d %g", df_array_index, real(entry)); ++ if (entry->type == STRING) { ++ while (max_line_len < strlen(entry->v.string_val)) ++ df_line = gp_realloc(df_line, max_line_len *= 2, "datafile line buffer"); ++ snprintf(df_line, max_line_len-1, "%d \"%s\"", df_array_index, entry->v.string_val); ++ } else { ++ snprintf(df_line, max_line_len-1, "%d %g", df_array_index, real(entry)); ++ } + + return df_line; + } +--- src/set.c ++++ src/set.c 2018-11-28 11:12:55.899231134 +0000 +@@ -1163,7 +1163,7 @@ set_clabel() + c_token++; + clabel_onecolor = FALSE; + if ((new_format = try_to_get_string())) { +- strncpy(contour_format, new_format, sizeof(contour_format)); ++ safe_strncpy(contour_format, new_format, sizeof(contour_format)); + free(new_format); + } + } +@@ -1319,7 +1319,7 @@ set_cntrlabel() + char *new; + c_token++; + if ((new = try_to_get_string())) +- strncpy(contour_format,new,sizeof(contour_format)); ++ safe_strncpy(contour_format,new,sizeof(contour_format)); + free(new); + } else if (equals(c_token, "font")) { + char *ctmp; +--- src/term.c ++++ src/term.c 2018-11-28 11:12:55.903231061 +0000 +@@ -2956,7 +2956,7 @@ strlen_tex(const char *str) + switch (*s) { + case '[': + while (*s && *s != ']') s++; +- s++; ++ if (*s) s++; + break; + case '\\': + s++; +--- term/cairo.trm ++++ term/cairo.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -295,7 +295,7 @@ TERM_PUBLIC void cairotrm_options() + cairo_params->fontsize = 0; + } else { + sep = strcspn(s,","); +- if (sep > 0) { ++ if (0 < sep && sep < MAX_ID_LEN) { + strncpy(cairo_params->fontname, s, sep); + cairo_params->fontname[sep] = '\0'; + } +--- term/cgm.trm ++++ term/cgm.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -473,7 +473,7 @@ CGM_options() + font_index = 1; + } else + free(s); +- strncpy(cgm_font, cgm_font_data[font_index-1].name, sizeof(cgm_font)); ++ safe_strncpy(cgm_font, cgm_font_data[font_index-1].name, sizeof(cgm_font)); + + } else { + /* the user is specifying the font size */ +@@ -830,12 +830,7 @@ CGM_set_font(const char *font) + + { + char *s = cgm_font_data[font_index-1].name; +- +- len = strlen(s); +- if (len > 31) +- len = 31; +- strncpy(cgm_font, s, len); +- cgm_font[len] = NUL; ++ safe_strncpy(cgm_font, s, sizeof(cgm_font)); + } + + /* set font size */ +--- term/context.trm ++++ term/context.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -593,7 +593,7 @@ CONTEXT_options() + if ((tmp_string = try_to_get_string()) && (tmp_string != NULL)) { + CONTEXT_fontstring_parse(tmp_string, tmp_font, MAX_ID_LEN+1, &tmp_fontsize); + /* copies font name to parameters */ +- strncpy(CONTEXT_params.font, tmp_font, sizeof(CONTEXT_params.font)); ++ safe_strncpy(CONTEXT_params.font, tmp_font, sizeof(CONTEXT_params.font)); + tmp_font[MAX_ID_LEN] = NUL; + free(tmp_string); + /* save font size: +@@ -1379,7 +1379,7 @@ CONTEXT_set_font(const char *font) + + /* saves font name & family to CONTEXT_font */ + CONTEXT_fontstring_parse((char *)font, CONTEXT_font, sizeof(CONTEXT_font), &CONTEXT_fontsize_explicit); +- strncpy(CONTEXT_font_explicit, CONTEXT_font, sizeof(CONTEXT_font_explicit)); ++ safe_strncpy(CONTEXT_font_explicit, CONTEXT_font, sizeof(CONTEXT_font_explicit)); + + /* valid fontsize has been provided */ + if (CONTEXT_fontsize_explicit > 0.) { /* XXX: if valid */ +--- term/eepic.trm ++++ term/eepic.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -375,6 +375,9 @@ EEPIC_put_text(unsigned int x, unsigned + { + int i, l; + ++ if (*str == '\0') ++ return; ++ + EEPIC_endline(); + + fprintf(gpoutfile, "\\put(%d,%d)", x, y); +--- term/emf.trm ++++ term/emf.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -790,7 +790,7 @@ EMF_options() + *comma = '\0'; + } + if (*s) +- strncpy(emf_defaultfontname, s, sizeof(emf_defaultfontname)); ++ safe_strncpy(emf_defaultfontname, s, sizeof(emf_defaultfontname)); + free(s); + if (isanumber(c_token)) { + emf_defaultfontsize = int_expression(); +@@ -1865,7 +1865,7 @@ ENHemf_put_text(unsigned int x, unsigned + + /* set up the global variables needed by enhanced_recursion() */ + enhanced_fontscale = 1.0; +- strncpy(enhanced_escape_format,"&#x%2.2x;",sizeof(enhanced_escape_format)); ++ safe_strncpy(enhanced_escape_format,"&#x%2.2x;",sizeof(enhanced_escape_format)); + + ENHemf_opened_string = FALSE; + ENHemf_overprint = 0; +--- term/metapost.trm ++++ term/metapost.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -320,7 +320,7 @@ MP_options() + char *s; + if ((s = try_to_get_string())) { + int sep = strcspn(s,","); +- if (sep > 0) { ++ if (0 < sep && sep < sizeof(MP_fontname)) { + strncpy(MP_fontname, s, sizeof(MP_fontname)); + MP_fontname[sep] = '\0'; + } +--- term/post.trm ++++ term/post.trm 2018-11-28 11:14:28.889527841 +0000 +@@ -1194,7 +1194,7 @@ PS_options() + term->h_char = (unsigned int)(ps_fontsize*PS_SCF*5/10); + else + term->h_char = (unsigned int)(ps_fontsize*PS_SCF*6/10); +- sprintf(PS_default_font,"%s,%g",ps_params->font,ps_fontsize); ++ snprintf(PS_default_font, sizeof(PS_default_font)-1, "%s, %.2g", ps_params->font, ps_fontsize); + + if (ps_params->terminal == PSTERM_POSTSCRIPT) { + if (ps_params->first_fontfile) { +--- term/tgif.trm ++++ term/tgif.trm 2018-11-28 11:12:55.903231061 +0000 +@@ -369,7 +369,7 @@ TGIF_options() + int sep = strcspn(s,","); + if (s[sep] == ',' && (1 == sscanf(&s[sep+1],"%lf",&fontsize))) + uActFontSize = (int)(fontsize+0.5); +- if (sep > 0) { ++ if (0 < sep && sep < sizeof(sActFont)) { + strncpy(sActFont, s, sizeof(sActFont)); + sActFont[sep] = NUL; + } diff --git a/gnuplot.changes b/gnuplot.changes index 33c2368..680d9da 100644 --- a/gnuplot.changes +++ b/gnuplot.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Nov 28 11:35:10 UTC 2018 - Dr. Werner Fink + +- Add patch gnuplot-e3cc539c.patch from upstream commit e3cc539c + Fix the bugs boo#1117463 (CVE-2018-19492), boo#1117464 (CVE-2018-19491), + and boo#1117465 (CVE-2018-19490) + ------------------------------------------------------------------- Tue Oct 9 07:40:42 UTC 2018 - Dr. Werner Fink diff --git a/gnuplot.spec b/gnuplot.spec index a09508b..ffb33fe 100644 --- a/gnuplot.spec +++ b/gnuplot.spec @@ -103,6 +103,8 @@ Patch4: gnuplot-4.6.0-demo.diff Patch5: gnuplot-wx3.diff Patch6: gnuplot-QtCore-PIC.dif Patch7: gnuplot-gd.patch +# PATCH-FIX-UPSTREAM upstream cimmit for boo#1117463, #1117464, and #1117465 +Patch8: gnuplot-e3cc539c.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} %if "%_exec_prefix" == "/usr/X11R6" @@ -155,6 +157,7 @@ cp %{_sourcedir}/picins.sty docs %patch5 -p1 -b .w3x %patch6 -p0 -b .pic %patch7 -p1 -b .gd +%patch8 -p0 -b .sec %build autoreconf -fi