Bug#865214: stretch-pu: package gnuplot/5.0.5+dfsg1-6+deb9u1

[Anton Gladky <gladk@debian.org>]

Hi Cyril,

thank you for the extended answer and useful information! Please find an
attached patch with the fixed changelog number.

Best regards

Anton

On 06/25/2017 11:09 PM, Cyril Brulebois wrote:
> Hi,
> 
> Anton Gladky <gladk@debian.org> (2017-06-19):
>> Package: release.debian.org
>> Severity: normal
>> Tags: stretch
>> User: release.debian.org@packages.debian.org
>> Usertags: pu
>>
>> Dear release team,
>>
>> the following gnuplot version fixes the CVE-2017-9670. Please let me
>> know, whether it can be upoaded to proposed-updates.
> 
> Looking at the security tracker, it looks like this was decided this was
> going to be a no-dsa fix, but feel free to mention this upfront in your
> next pu requests. :)
> 
> Anyway, looking at the diff: the version number isn't appropriate, as
> stretch has 5.0.5+dfsg1-6, you should be uploading 5.0.5+dfsg1-6+deb9u1.
> Alternatively, if you were going to backport 5.0.5+dfsg1-7 from testing,
> you could use 5.0.5+dfsg1-7~deb9u1, but then this should be on top of
> the 5.0.5+dfsg1-7 changelog entry.
> 
> Either way, please provide an updated debdiff with a proper version (for
> a simple patch like this, I think the first solution would have a slight
> preference on my side → 5.0.5+dfsg1-6+deb9u1).
> 
> Thanks already.
> 
> 
> KiBi.
> 

diff -Nru gnuplot-5.0.5+dfsg1/debian/changelog gnuplot-5.0.5+dfsg1/debian/changelog
--- gnuplot-5.0.5+dfsg1/debian/changelog	2017-04-03 22:58:59.000000000 +0200
+++ gnuplot-5.0.5+dfsg1/debian/changelog	2017-06-16 22:35:29.000000000 +0200
@@ -1,3 +1,10 @@
+gnuplot (5.0.5+dfsg1-6+deb9u1) stretch; urgency=high
+
+  * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670.
+              (Closes: #864901)
+
+ -- Anton Gladky <gladk@debian.org>  Fri, 16 Jun 2017 22:35:29 +0200
+
 gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium
 
   * Team upload.
diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch
--- gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch	2017-06-16 22:35:29.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix memory corruption vulnerability. CVE-2017-9670
+Author: Ethan Merritt
+Bug-Debian: https://bugs.debian.org/864901
+Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch
+Bug: https://sourceforge.net/p/gnuplot/bugs/1933/
+Reviewed-By: Anton Gladky <gladk@debian.org>
+Last-Update: 2017-06-16
+
+--- gnuplot-5.0.5+dfsg1.orig/src/set.c
++++ gnuplot-5.0.5+dfsg1/src/set.c
+@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis)
+ 
+     if (!equals(c_token, ",")) {
+ 	/* only step specified */
++	incr_token = c_token;
+ 	incr = start;
+ 	start = -VERYLARGE;
+ 	end = VERYLARGE;
diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/series gnuplot-5.0.5+dfsg1/debian/patches/series
--- gnuplot-5.0.5+dfsg1/debian/patches/series	2017-04-03 22:54:50.000000000 +0200
+++ gnuplot-5.0.5+dfsg1/debian/patches/series	2017-06-16 22:35:29.000000000 +0200
@@ -6,3 +6,4 @@
 11_fix_linkage_wx.patch
 13_honour_SOURCE_DATE_EPOCH.patch
 14_strip_username_from_output.patch
+20_CVE-2017-9670.patch

Attachment: signature.asc
Description: OpenPGP digital signature