gnuplot: fix CVE-2025-3359

CVE-2025-3359: A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal may jeopardize the environment. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-3359] Upstream patches: [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2026-06-14 05:49:57 +00:00 · 2025-09-02 15:44:26 +08:00
parent a8fdc03123
commit 9d3537ef42
2 changed files with 68 additions and 0 deletions
@@ -0,0 +1,67 @@
+From 997b4ee68275664b94e0c881ace5121d79c0c29c Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 25 Mar 2025 22:51:54 -0700
+Subject: [PATCH] hpgl: font name parsing overruns the string by one char
+
+if no comma is present in the font name.
+E.g.
+   set term pcl
+   set title "Title" font "sans"    # no comma in font name
+   plot x
+
+Bug 2781
+
+CVE: CVE-2025-3359
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/hpgl.trm | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/term/hpgl.trm b/term/hpgl.trm
+index 04088977d..fdb4c7083 100644
+--- a/term/hpgl.trm
+++ b/term/hpgl.trm
+@@ -1650,28 +1650,22 @@ TERM_PUBLIC int
+ HPGL2_set_font(const char *font)
+ {
+     char name[MAX_ID_LEN + 1];
+-    int sep;
+-    int int_size;
+-    double size;
+    char *sep;
+    double size = HPGL2_point_size;
+ 
+     if (font == NULL)
+ 	font = "";
+ 
+-    sep = strcspn(font, ",");
+-    strncpy(name, font, sizeof(name));
+-
+-    if (sep < sizeof(name))
+-	name[sep] = NUL;
+-
+-/* determine font size, use default from options if invalid */
+-    int_size = 0;
+-    /* FIXME: use strtod instead */
+-    sscanf(&(font[sep + 1]), "%d", &int_size);
+-    if (int_size > 0)
+-	size = int_size;
+-    else
+-	size = HPGL2_point_size;
+    safe_strncpy(name, font, sizeof(name));
+ 
+    /* determine font size, use default from options if invalid */
+    sep = strchr(font, ',');
+    if (sep) {
+	double req_size = strtod(sep+1, NULL);
+	if (req_size > 0)
+	    size = req_size;
+	*sep = '\0';
+    }
+     return HPGL2_set_font_size(name, size);
+ }
+ 
+-- 
+2.43.0
+
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
           http://www.mneuroth.de/privat/zaurus/qtplot-0.2.tar.gz;name=qtplot \
           file://gnuplot.desktop \
           file://gnuplot.png \
+           file://CVE-2025-3359.patch \
           "
 SRC_URI:append:class-target = " \
    file://0002-do-not-build-demos.patch \