--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: security upstream patch
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package gnuplot
it fixes CVE-2017-9670. The fix is trivial. Patch is attached.
unblock gnuplot/5.0.5+dfsg1-7
The diff is attached.
Thanks
Anton
diff --git a/debian/changelog b/debian/changelog
index 3705f0e..a27d6a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gnuplot (5.0.5+dfsg1-7) unstable; urgency=high
+
+ * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670.
+ (Closes: #864901)
+
+ -- Anton Gladky <gladk@debian.org> Fri, 16 Jun 2017 22:35:29 +0200
+
gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/20_CVE-2017-9670.patch b/debian/patches/20_CVE-2017-9670.patch
new file mode 100644
index 0000000..482ea7e
--- /dev/null
+++ b/debian/patches/20_CVE-2017-9670.patch
@@ -0,0 +1,18 @@
+Description: Fix memory corruption vulnerability. CVE-2017-9670
+Author: Ethan Merritt
+Bug-Debian: https://bugs.debian.org/864901
+Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch
+Bug: https://sourceforge.net/p/gnuplot/bugs/1933/
+Reviewed-By: Anton Gladky <gladk@debian.org>
+Last-Update: 2017-06-16
+
+--- gnuplot-5.0.5+dfsg1.orig/src/set.c
++++ gnuplot-5.0.5+dfsg1/src/set.c
+@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis)
+
+ if (!equals(c_token, ",")) {
+ /* only step specified */
++ incr_token = c_token;
+ incr = start;
+ start = -VERYLARGE;
+ end = VERYLARGE;
diff --git a/debian/patches/series b/debian/patches/series
index 94e0bfa..3c19808 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
11_fix_linkage_wx.patch
13_honour_SOURCE_DATE_EPOCH.patch
14_strip_username_from_output.patch
+20_CVE-2017-9670.patch
--- End Message ---
--- Begin Message ---
Control: tag -1 wontfix
On 2017-06-16 21:47, Anton Gladky wrote:
Package: release.debian.org
Severity: normal
Tags: security upstream patch
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package gnuplot
it fixes CVE-2017-9670. The fix is trivial. Patch is attached.
unblock gnuplot/5.0.5+dfsg1-7
The diff is attached.
Thanks
Anton
Well, with a release in ~12 hours I don't think this is going to work
too well. Even if the upload were in unstable, which it isn't.
If it's critical, please go through security. If it's not, please go
through the normal stable update procedure after this weekend.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<broonie> SaaS == Saunas as a Service
<liw> broonie, more like Sauna as additional Storage
--- End Message ---