diff mbox series

[meta-oe,scarthgap,1/7] gnuplot: fix CVE-2025-3359

Message ID 20250902074432.1068537-1-peng.zhang1.cn@windriver.com
State New
Headers show
Series [meta-oe,scarthgap,1/7] gnuplot: fix CVE-2025-3359 | expand

Commit Message

Peng Zhang Sept. 2, 2025, 7:44 a.m. UTC 
From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-3359:
A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal
may jeopardize the environment.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-3359]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-3359.patch       | 67 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
new file mode 100644
index 0000000000..d2de00ec6d
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
@@ -0,0 +1,67 @@ 
+From 997b4ee68275664b94e0c881ace5121d79c0c29c Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 25 Mar 2025 22:51:54 -0700
+Subject: [PATCH] hpgl: font name parsing overruns the string by one char
+
+if no comma is present in the font name.
+E.g.
+   set term pcl
+   set title "Title" font "sans"    # no comma in font name
+   plot x
+
+Bug 2781
+
+CVE: CVE-2025-3359
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/hpgl.trm | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/term/hpgl.trm b/term/hpgl.trm
+index 04088977d..fdb4c7083 100644
+--- a/term/hpgl.trm
++++ b/term/hpgl.trm
+@@ -1650,28 +1650,22 @@ TERM_PUBLIC int
+ HPGL2_set_font(const char *font)
+ {
+     char name[MAX_ID_LEN + 1];
+-    int sep;
+-    int int_size;
+-    double size;
++    char *sep;
++    double size = HPGL2_point_size;
+ 
+     if (font == NULL)
+ 	font = "";
+ 
+-    sep = strcspn(font, ",");
+-    strncpy(name, font, sizeof(name));
+-
+-    if (sep < sizeof(name))
+-	name[sep] = NUL;
+-
+-/* determine font size, use default from options if invalid */
+-    int_size = 0;
+-    /* FIXME: use strtod instead */
+-    sscanf(&(font[sep + 1]), "%d", &int_size);
+-    if (int_size > 0)
+-	size = int_size;
+-    else
+-	size = HPGL2_point_size;
++    safe_strncpy(name, font, sizeof(name));
+ 
++    /* determine font size, use default from options if invalid */
++    sep = strchr(font, ',');
++    if (sep) {
++	double req_size = strtod(sep+1, NULL);
++	if (req_size > 0)
++	    size = req_size;
++	*sep = '\0';
++    }
+     return HPGL2_set_font_size(name, size);
+ }
+ 
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index fe5e5c067d..eff2ccc98c 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -15,6 +15,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            http://www.mneuroth.de/privat/zaurus/qtplot-0.2.tar.gz;name=qtplot \
            file://gnuplot.desktop \
            file://gnuplot.png \
+           file://CVE-2025-3359.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \