gnuplot: fix CVE-2025-31178

CVE-2025-31178:
A flaw was found in gnuplot. The GetAnnotateString() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31178]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch

@@ -0,0 +1,95 @@
+From c625576a4e086f8e3ad6f23559052494465722c6 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 14 Jan 2025 21:23:19 -0800
+Subject: [PATCH] use snprintf to protect against garbage user-supplied mouse
+ format
+
+Bug 2754
+
+CVE: CVE-2025-31178
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/mouse.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index ef8f14d71..1571144ce 100644
+--- a/src/mouse.c
++++ b/src/mouse.c
+@@ -168,7 +168,7 @@ static void alert(void);
+ static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2);
+ static char *xy_format(void);
+ static char *zoombox_format(void);
+-static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt);
++static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt);
+ static char *xDateTimeFormat(double x, char *b, int mode);
+ static void GetRulerString(char *p, double x, double y);
+ static void apply_zoom(struct t_zoom * z);
+@@ -418,7 +418,7 @@ zoombox_format()
+ /* formats the information for an annotation (middle mouse button clicked)
+  */
+ static char *
+-GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
++GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt)
+ {
+     if (axis_array[FIRST_X_AXIS].datatype == DT_DMS
+     ||  axis_array[FIRST_Y_AXIS].datatype == DT_DMS) {
+@@ -473,11 +473,11 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
+ 	    r = rmin + x/cos(phi);
+ 
+ 	if (fmt)
+-	    sprintf(s, fmt, theta, r);
++	    snprintf(s, len, fmt, theta, r);
+ 	else
+ 	    sprintf(s, "theta: %.1f%s  r: %g", theta, degree_sign, r);
+     } else if ((mode == MOUSE_COORDINATES_ALT) && fmt) {
+-	sprintf(s, fmt, x, y);	/* user defined format */
++	snprintf(s, len, fmt, x, y);	/* user defined format */
+     } else if (mode == MOUSE_COORDINATES_FUNCTION) {
+ 	/* EXPERIMENTAL !!! */
+ 	t_value original_x, original_y;
+@@ -500,7 +500,7 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
+ 	gpfree_string(&readout);
+     } else {
+ 	/* Default format ("set mouse mouseformat" is not active) */
+-	sprintf(s, xy_format(), x, y);	/* usual x,y values */
++	snprintf(s, len, xy_format(), x, y);	/* usual x,y values */
+     }
+     return s + strlen(s);
+ }
+@@ -886,10 +886,10 @@ UpdateStatuslineWithMouseSetting(mouse_setting_t * ms)
+ 	strcat(format, ms->fmt);
+ 	strcat(format, ", ");
+ 	strcat(format, ms->fmt);
+-	sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
++	snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
+     } else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) {
+ 	/* only first X and Y axis are in use */
+-	sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++	sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 	if (ruler.on)
+ 	    GetRulerString(sp, real_x, real_y);
+     } else {
+@@ -2116,7 +2116,7 @@ event_buttonrelease(struct gp_event_t *ge)
+ 	     * only place, if the user didn't drag (rotate) the plot */
+ 
+ 	    if (!is_3d_plot || !motion) {
+-		GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++		GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 		term->set_clipboard(s0);
+ 		if (display_ipc_commands()) {
+ 		    fprintf(stderr, "put `%s' to clipboard.\n", s0);
+@@ -2129,8 +2129,7 @@ event_buttonrelease(struct gp_event_t *ge)
+ 	     * only done if the user didn't drag (scale) the plot */
+ 
+ 	    if (!is_3d_plot || !motion) {
+-
+-		GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++		GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 		if (mouse_setting.label) {
+ 		    if (modifier_mask & Mod_Ctrl) {
+ 			remove_label(mouse_x, mouse_y);
+-- 
+2.43.0
+

meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb

@@ -18,6 +18,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://CVE-2025-3359.patch \
            file://CVE-2025-31176.patch \
            file://CVE-2025-31177.patch \
+           file://CVE-2025-31178.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \