diff -pruN 6.0.2+dfsg1-2/debian/changelog 6.0.2+dfsg1-2ubuntu1/debian/changelog --- 6.0.2+dfsg1-2/debian/changelog 2025-06-07 07:39:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/changelog 2025-09-02 09:27:10.000000000 +0000 @@ -1,3 +1,31 @@ +gnuplot (6.0.2+dfsg1-2ubuntu1) questing; urgency=medium + + * SECURITY UPDATE: Denial of Service + - debian/patches/CVE-2025-3359.patch: Refactor font name parsing to + prevent off by one error + - debian/patches/CVE-2025-31176.patch: Add extra guard to prevent + invalid read from plot->labels + - debian/patches/CVE-2025-31178.patch: Use snprintf to protect + against garbage user-supplied mouse format + - debian/patches/CVE-2025-31179.patch: Add guard against trying to + format a huge number as a time + - debian/patches/CVE-2025-31180.patch: Handle nonlinear x2 or y2 axis + with an incomplete definition + - debian/patches/CVE-2025-31181.patch: Protect against double fclose() + if two errors occur in a row + - CVE-2025-3359 + - CVE-2025-31176 + - CVE-2025-31178 + - CVE-2025-31179 + - CVE-2025-31180 + - CVE-2025-31181 + * SECURITY UPDATE: Heap Buffer Overflow + - debian/patches/CVE-2025-31177.patch: Add extra guard against y + bound of dumb terminal charcell array + - CVE-2025-31177 + + -- Bruce Cable Tue, 02 Sep 2025 19:27:10 +1000 + gnuplot (6.0.2+dfsg1-2) unstable; urgency=medium * Team upload diff -pruN 6.0.2+dfsg1-2/debian/control 6.0.2+dfsg1-2ubuntu1/debian/control --- 6.0.2+dfsg1-2/debian/control 2025-06-07 07:35:59.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/control 2025-09-02 09:27:10.000000000 +0000 @@ -1,5 +1,6 @@ Source: gnuplot -Maintainer: Debian Science Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Science Team Uploaders: Anton Gladky Section: math Priority: optional diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31176.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31176.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31176.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31176.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,73 @@ +From b456a3ef618f55a20b3071d336cb20514274f1d4 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 11 Mar 2025 12:31:54 -0700 +Subject: [PATCH] guard against invalid read from plot->labels + +If a plot style uses points and the point chosen has PT_CHARACTER +then the program looks for a possible font in plot->labels->font. +These plot styles contain a flag bit HAS_POINT (gp_types.h). +The program makes sure to initialize plot->labels for these styles. +However a problem arises when a plot style that doesn't use points +nevertheless triggers this same attempted font lookup by using a +linetype that happens to use pointtype PT_CHARACTER. +I think this is only possible with 'splot' but I added parallel +checks for 'plot' as well. + +Bug 2776 +--- + src/boundary.c | 2 +- + src/graph3d.c | 4 ++-- + src/graphics.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +--- gnuplot-6.0.2+dfsg1.orig/src/boundary.c ++++ gnuplot-6.0.2+dfsg1/src/boundary.c +@@ -1458,7 +1458,7 @@ do_key_sample_point( + (*t->pointsize)(pointsize); + if (on_page(xl + key_point_offset, yl)) { + if (this_plot->lp_properties.p_type == PT_CHARACTER) { +- if (this_plot->labels->textcolor.type != TC_DEFAULT) ++ if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT) + apply_pm3dcolor(&(this_plot->labels->textcolor)); + (*t->put_text) (xl + key_point_offset, yl, + this_plot->lp_properties.p_char); +--- gnuplot-6.0.2+dfsg1.orig/src/graph3d.c ++++ gnuplot-6.0.2+dfsg1/src/graph3d.c +@@ -2108,7 +2108,7 @@ plot3d_points(struct surface_points *plo + /* Set whatever we can that applies to every point in the loop */ + if (plot->lp_properties.p_type == PT_CHARACTER) { + ignore_enhanced(TRUE); +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (plot->labels->font); + (*t->justify_text) (CENTRE); + } +@@ -2203,7 +2203,7 @@ plot3d_points(struct surface_points *plo + + /* Return to initial state */ + if (plot->lp_properties.p_type == PT_CHARACTER) { +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (""); + ignore_enhanced(FALSE); + } +--- gnuplot-6.0.2+dfsg1.orig/src/graphics.c ++++ gnuplot-6.0.2+dfsg1/src/graphics.c +@@ -2826,7 +2826,7 @@ plot_points(struct curve_points *plot) + /* Set whatever we can that applies to every point in the loop */ + if (plot->lp_properties.p_type == PT_CHARACTER) { + ignore_enhanced(TRUE); +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (plot->labels->font); + (*t->justify_text) (CENTRE); + } +@@ -2958,7 +2958,7 @@ plot_points(struct curve_points *plot) + + /* Return to initial state */ + if (plot->lp_properties.p_type == PT_CHARACTER) { +- if (plot->labels->font && plot->labels->font[0]) ++ if (plot->labels && plot->labels->font && plot->labels->font[0]) + (*t->set_font) (""); + ignore_enhanced(FALSE); + } diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31177.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31177.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31177.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31177.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,33 @@ +From 226809aebb345e74d371bb43a2b434b490be527a Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Wed, 15 Jan 2025 11:56:13 -0800 +Subject: [PATCH] dumb: more stringent tests against y bound of dumb terminal + charcell array + +Bug 2756 +--- + term/dumb.trm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/term/dumb.trm b/term/dumb.trm +index 498e27fc6..fdc94fbf5 100644 +--- a/term/dumb.trm ++++ b/term/dumb.trm +@@ -801,7 +801,7 @@ DUMB_put_text(unsigned int x, unsigned int y, const char *str) + { + int i, length; + +- if (y > dumb_ymax) ++ if (y < 0 || y > dumb_ymax) + return; + + length = gp_strlen(str); +@@ -949,7 +949,7 @@ ENHdumb_FLUSH() + y += i; + + /* print the string fragment, perhaps invisibly */ +- if (ENHdumb_show && y < dumb_ymax) { ++ if (ENHdumb_show && (0 <= y && y < dumb_ymax)) { + for (i = 0; i < len && x < dumb_xmax; i++, x++) { + utf8_copy_one( (char *)(&DUMB_PIXEL(x, y)), gp_strchrn(str,i)); + #ifndef NO_DUMB_COLOR_SUPPORT diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31178.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31178.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31178.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31178.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,85 @@ +From b78cc829a18e9436daaa859c96f3970157f3171e Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 14 Jan 2025 21:23:19 -0800 +Subject: [PATCH] use snprintf to protect against garbage user-supplied mouse + format + +Bug 2754 +--- + src/mouse.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- gnuplot-6.0.2+dfsg1.orig/src/mouse.c ++++ gnuplot-6.0.2+dfsg1/src/mouse.c +@@ -265,7 +265,7 @@ static void alert(void); + static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2); + static char *xy_format(void); + static char *zoombox_format(void); +-static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt); ++static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt); + static char *xDateTimeFormat(double x, char *b, int mode); + static void GetRulerString(char *p, double x, double y); + static void apply_zoom(struct t_zoom * z); +@@ -517,7 +517,7 @@ zoombox_format() + /* formats the information for an annotation (middle mouse button clicked) + */ + static char * +-GetAnnotateString(char *s, double x, double y, int mode, char *fmt) ++GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt) + { + if (axis_array[FIRST_X_AXIS].datatype == DT_DMS + || axis_array[FIRST_Y_AXIS].datatype == DT_DMS) { +@@ -572,11 +572,11 @@ GetAnnotateString(char *s, double x, dou + r = rmin + x/cos(phi); + + if (fmt) +- sprintf(s, fmt, theta, r); ++ snprintf(s, len, fmt, theta, r); + else + sprintf(s, "theta: %.1f%s r: %g", theta, degree_sign, r); + } else if ((mode == MOUSE_COORDINATES_ALT) && fmt) { +- sprintf(s, fmt, x, y); /* user defined format */ ++ snprintf(s, len, fmt, x, y); /* user defined format */ + } else if (mode == MOUSE_COORDINATES_FUNCTION) { + /* EXPERIMENTAL !!! */ + t_value original_x, original_y; +@@ -599,7 +599,7 @@ GetAnnotateString(char *s, double x, dou + gpfree_string(&readout); + } else { + /* Default format ("set mouse mouseformat" is not active) */ +- sprintf(s, xy_format(), x, y); /* usual x,y values */ ++ snprintf(s, len, xy_format(), x, y); /* usual x,y values */ + } + return s + strlen(s); + } +@@ -991,10 +991,10 @@ UpdateStatuslineWithMouseSetting(mouse_s + strcat(format, ms->fmt); + strcat(format, ", "); + strcat(format, ms->fmt); +- sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); ++ snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); + } else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) { + /* only first X and Y axis are in use */ +- sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); ++ sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); + if (ruler.on) + GetRulerString(sp, real_x, real_y); + } else { +@@ -2252,7 +2252,7 @@ event_buttonrelease(struct gp_event_t *g + * only place, if the user didn't drag (rotate) the plot */ + + if (!is_3d_plot || !motion) { +- GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); ++ GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); + term->set_clipboard(s0); + if (display_ipc_commands()) { + fprintf(stderr, "put `%s' to clipboard.\n", s0); +@@ -2268,7 +2268,7 @@ event_buttonrelease(struct gp_event_t *g + /* draw temporary annotation or label. For 3d plots this is + * only done if the user didn't drag (scale) the plot */ + if (!is_3d_plot || !motion) { +- GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); ++ GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); + if (mouse_setting.label) { + if (modifier_mask & Mod_Ctrl) { + remove_label(mouse_x, mouse_y); diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31179.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31179.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31179.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31179.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,27 @@ +From ed647df512786b3c94429dd5c864715301e03ea5 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 11 Mar 2025 16:31:23 -0700 +Subject: [PATCH] guard against trying to format a huge number as a time + +The time formatting code does not handle time_in_seconds > 1.e12 +(sometime in the year 33658). + +Bug 2779 +--- + src/mouse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- gnuplot-6.0.2+dfsg1.orig/src/mouse.c ++++ gnuplot-6.0.2+dfsg1/src/mouse.c +@@ -612,6 +612,11 @@ static char * + xDateTimeFormat(double x, char *b, int mode) + { + struct tm tm; ++ if (fabs(x) > 1.e12) { /* Some time in the year 33688 */ ++ int_warn(NO_CARET, "time value out of range"); ++ *b = '\0'; ++ return b; ++ } + + switch (mode) { + case MOUSE_COORDINATES_XDATE: diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31180.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31180.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31180.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31180.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,36 @@ +From b2343fd02c4fff94957f0151b73daa0a1f7fec49 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 14 Jan 2025 21:54:14 -0800 +Subject: [PATCH] canvas: handle nonlinear x2 or y2 axis with an incomplete + definition + +Actually "handle" means "ignore". +But now it doesn't segfault trying to probe a non-existant link function. + +Bug 2755 +--- + term/canvas.trm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/term/canvas.trm b/term/canvas.trm +index a919b09bd..bfe567832 100644 +--- a/term/canvas.trm ++++ b/term/canvas.trm +@@ -646,7 +646,7 @@ CANVAS_text() + } else + fprintf(gpoutfile, "gnuplot.plot_axis_x2min = \"none\"\n"); + if (axis_array[SECOND_X_AXIS].linked_to_primary +- && axis_array[FIRST_X_AXIS].link_udf->at) { ++ && axis_array[FIRST_X_AXIS].link_udf && axis_array[FIRST_X_AXIS].link_udf->at) { + fprintf(gpoutfile, "gnuplot.x2_mapping = function(x) { return x; };"); + fprintf(gpoutfile, " // replace returned value with %s\n", + axis_array[FIRST_X_AXIS].link_udf->definition); +@@ -657,7 +657,7 @@ CANVAS_text() + } else + fprintf(gpoutfile, "gnuplot.plot_axis_y2min = \"none\"\n"); + if (axis_array[SECOND_Y_AXIS].linked_to_primary +- && axis_array[FIRST_Y_AXIS].link_udf->at) { ++ && axis_array[FIRST_Y_AXIS].link_udf && axis_array[FIRST_Y_AXIS].link_udf->at) { + fprintf(gpoutfile, "gnuplot.y2_mapping = function(y) { return y; };"); + fprintf(gpoutfile, " // replace returned value with %s\n", + axis_array[FIRST_Y_AXIS].link_udf->definition); diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-31181.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31181.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-31181.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-31181.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,34 @@ +From af96c2c1b20383684b1ec2084dab7936f7053031 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 14 Jan 2025 20:56:37 -0800 +Subject: [PATCH] x11: protect against double fclose() if two errors in a row + +Bug 2753 +--- + term/x11.trm | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- gnuplot-6.0.2+dfsg1.orig/term/x11.trm ++++ gnuplot-6.0.2+dfsg1/term/x11.trm +@@ -859,8 +859,9 @@ X11_atexit() + /* dont wait(), since they might be -persist */ + X11_ipc = NULL; + #ifdef PIPE_IPC +- close(ipc_back_fd); +- ipc_back_fd = -1; ++ if (ipc_back_fd >= 0) ++ close(ipc_back_fd); ++ ipc_back_fd = IPC_BACK_CLOSED; + #endif + } + } +@@ -1426,7 +1427,8 @@ X11_graphics() + #ifdef PIPE_IPC + /* if we know the outboard driver has stopped, restart it */ + if (ipc_back_fd == IPC_BACK_CLOSED) { +- fclose(X11_ipc); ++ if (X11_ipc > 0) ++ fclose(X11_ipc); + X11_ipc = NULL; + X11_init(); + } diff -pruN 6.0.2+dfsg1-2/debian/patches/CVE-2025-3359.patch 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-3359.patch --- 6.0.2+dfsg1-2/debian/patches/CVE-2025-3359.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/CVE-2025-3359.patch 2025-09-02 09:27:10.000000000 +0000 @@ -0,0 +1,56 @@ +From a5897feadc4be73b0ffd8458556c47117bd24d03 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Tue, 25 Mar 2025 22:51:54 -0700 +Subject: [PATCH] hpgl: font name parsing overruns the string by one char + +if no comma is present in the font name. +E.g. + set term pcl + set title "Title" font "sans" # no comma in font name + plot x + +Bug 2781 +--- + term/hpgl.trm | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +--- gnuplot-6.0.2+dfsg1.orig/term/hpgl.trm ++++ gnuplot-6.0.2+dfsg1/term/hpgl.trm +@@ -1653,27 +1653,22 @@ TERM_PUBLIC int + HPGL2_set_font(const char *font) + { + char name[MAX_ID_LEN + 1]; +- int sep; +- int int_size; +- double size; ++ char *sep; ++ double size = HPGL2_point_size; + + if (font == NULL) + font = ""; + +- sep = strcspn(font, ","); + strncpy(name, font, sizeof(name)-1); + +- if (sep < sizeof(name)) +- name[sep] = NUL; +- +-/* determine font size, use default from options if invalid */ +- int_size = 0; +- /* FIXME: use strtod instead */ +- sscanf(&(font[sep + 1]), "%d", &int_size); +- if (int_size > 0) +- size = int_size; +- else +- size = HPGL2_point_size; ++ /* determine font size, use default from options if invalid */ ++ sep = strchr(font, ','); ++ if (sep) { ++ double req_size = strtod(sep+1, NULL); ++ if (req_size > 0) ++ size = req_size; ++ *sep = '\0'; ++ } + + return HPGL2_set_font_size(name, size); + } diff -pruN 6.0.2+dfsg1-2/debian/patches/series 6.0.2+dfsg1-2ubuntu1/debian/patches/series --- 6.0.2+dfsg1-2/debian/patches/series 2025-06-07 07:24:50.000000000 +0000 +++ 6.0.2+dfsg1-2ubuntu1/debian/patches/series 2025-09-02 09:27:10.000000000 +0000 @@ -9,3 +9,10 @@ 30_use_xelatex.patch 40_fix-doc2tex-oob-read.patch 50_no-webp_figures-in-documentation.patch +CVE-2025-3359.patch +CVE-2025-31176.patch +CVE-2025-31177.patch +CVE-2025-31178.patch +CVE-2025-31179.patch +CVE-2025-31180.patch +CVE-2025-31181.patch