Accepting request 838238 from Publishing

- Add temporary upstream commits as patches * 052cbd17.patch * 1f36c4fb.patch * 963c7df3.patch * a31c3b70.patch to fix the bugs bsc#1176689 with CVE-2020-25559 and bsc#1176687 with CVE-2020-25412 OBS-URL: https://build.opensuse.org/request/show/838238 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnuplot?expand=0&rev=78
2020-10-03 16:52:21 +00:00 · 2020-10-03 16:52:21 +00:00 · 8bdf08fd2c
commit 8bdf08fd2c
parent 8fc9a7c013 12690bd26d
6 changed files with 143 additions and 1 deletions
--- a/052cbd17.patch
+++ b/052cbd17.patch
@ -0,0 +1,25 @@
+From 052cbd17c3cbbc602ee080b2617d32a8417d7563 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Wed, 9 Sep 2020 11:00:59 -0700
+Subject: [PATCH] successive failures of "set print <foo>" could cause
+ double-free Bug #2312
+
+---
+ src/command.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git src/command.c src/command.c
+index c6a923b5a..9701de995 100644
+--- src/command.c
+++ src/command.c
+@@ -1914,6 +1914,7 @@ print_set_output(char *name, TBOOLEAN datablock, TBOOLEAN append_p)
+ #endif
+ 	    if (0 > fclose(print_out))
+ 		perror(print_out_name);
+	print_out = stderr;
+     }
+ 
+     free(print_out_name);
+-- 
+2.26.2
+
--- a/1f36c4fb.patch
+++ b/1f36c4fb.patch
@ -0,0 +1,42 @@
+From 1f36c4fbb3e8e0beb213b4a29ab463e43db9ef42 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Fri, 11 Sep 2020 17:38:55 -0700
+Subject: [PATCH] prevent buffer overflow of enhanced text fragment
+
+The generic enhanced text buffering uses a shared buffer with fixed length.
+Add a check on the current position before adding each character in an
+enhanced text fragment.  Affects terminals
+  caca canvas dumb emf gd pc pdf pm tkcanvas x11 win
+Does not affect terminals with customized text handling
+  qt wxt cairo
+
+Bugs #2310 #2311
+---
+ src/term.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git src/term.c src/term.c
+index 7fd46fa04..70a2a7f25 100644
+--- src/term.c
+++ src/term.c
+@@ -185,6 +185,7 @@ char *enhanced_cur_text = NULL;
+ double enhanced_fontscale = 1.0;
+ char enhanced_escape_format[16] = "";
+ double enhanced_max_height = 0.0, enhanced_min_height = 0.0;
+#define ENHANCED_TEXT_MAX (&enhanced_text[MAX_LINE_LEN])
+ /* flag variable to disable enhanced output of filenames, mainly. */
+ TBOOLEAN ignore_enhanced_text = FALSE;
+ 
+@@ -2021,6 +2022,9 @@ test_term()
+ void
+ do_enh_writec(int c)
+ {
+    /* Guard against buffer overflow */
+    if (enhanced_cur_text >= ENHANCED_TEXT_MAX)
+	return;
+     /* note: c is meant to hold a char, but is actually an int, for
+      * the same reasons applying to putc() and friends */
+     *enhanced_cur_text++ = c;
+-- 
+2.26.2
+
--- a/963c7df3.patch
+++ b/963c7df3.patch
@ -0,0 +1,28 @@
+From 963c7df3e0c5266efff260d0dff757dfe03d3632 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 1 Sep 2020 17:57:37 -0700
+Subject: [PATCH] Better error handling for faulty font syntax
+
+A missing close-quote in an enhanced text font specification could
+cause a segfault.
+Bug #2303
+---
+ src/term.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git src/term.c src/term.c
+index fb99a9a6f..7fd46fa04 100644
+--- src/term.c
+++ src/term.c
+@@ -2175,7 +2175,7 @@ enhanced_recursion(
+ 			    ++p;
+ 			if (*p != *start_of_fontname) {
+ 			    int_warn(NO_CARET, "cannot interpret font name %s", start_of_fontname);
+-			    p = start_of_fontname;
+			    p = start_of_fontname + 1;
+ 			}
+ 			start_of_fontname++;
+ 			end_of_fontname = p++;
+-- 
+2.26.2
+
--- a/a31c3b70.patch
+++ b/a31c3b70.patch
@ -0,0 +1,29 @@
+From a31c3b70d8d4f887f906afe35accbc9a59ebcd37 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Sat, 12 Sep 2020 10:18:10 -0700
+Subject: [PATCH] Better error handling for faulty font syntax
+
+Commit 963c7df3 failed to deal with an error detected at the final character
+of a text string.
+
+Bugs #2303 #2308
+---
+ src/term.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git src/term.c src/term.c
+index 70a2a7f25..b9237784d 100644
+--- src/term.c
+++ src/term.c
+@@ -2179,7 +2179,7 @@ enhanced_recursion(
+ 			    ++p;
+ 			if (*p != *start_of_fontname) {
+ 			    int_warn(NO_CARET, "cannot interpret font name %s", start_of_fontname);
+-			    p = start_of_fontname + 1;
+			    break;
+ 			}
+ 			start_of_fontname++;
+ 			end_of_fontname = p++;
+-- 
+2.26.2
+
--- a/gnuplot.changes
+++ b/gnuplot.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Sep 28 10:14:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add temporary upstream commits as patches
+  * 052cbd17.patch
+  * 1f36c4fb.patch
+  * 963c7df3.patch
+  * a31c3b70.patch
+  to fix the bugs bsc#1176689 with CVE-2020-25559 and bsc#1176687
+  with CVE-2020-25412
+
 -------------------------------------------------------------------
 Fri Jul 17 07:36:14 UTC 2020 - Dr. Werner Fink <werner@suse.de>

--- a/gnuplot.spec
+++ b/gnuplot.spec
@ -103,6 +103,10 @@ Patch4:         gnuplot-4.6.0-demo.diff
 Patch5:         gnuplot-wx3.diff
 Patch6:         gnuplot-QtCore-PIC.dif
 Patch7:         gnuplot-gd.patch
+Patch10:        963c7df3.patch
+Patch11:        052cbd17.patch
+Patch12:        1f36c4fb.patch
+Patch13:        a31c3b70.patch
 %define _x11lib     %{_libdir}
 %define _x11data    %{_datadir}/X11
 %define _libx11     %{_exec_prefix}/lib/X11
@ -137,7 +141,10 @@ cp %{_sourcedir}/picins.sty docs
 %patch5 -p1 -b .w3x
 %patch6 -p0 -b .pic
 %patch7 -p1 -b .gd
-
+%patch10
+%patch11
+%patch12
+%patch13
 %build
 autoreconf -fi