From 21d4000f73cc91826e5fcd8708d531aad209fe0b Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 13 Jul 2023 09:34:17 +0800 Subject: [PATCH] Fix CVE-2020-25969 (cherry picked from commit ef3e47a2ed99b712cec9d7f85b6b1a52bd717cd1) --- CVE-2020-25969.patch | 39 +++++++++++++++++++++++++++++++++++++++ gnuplot.spec | 6 +++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-25969.patch diff --git a/CVE-2020-25969.patch b/CVE-2020-25969.patch new file mode 100644 index 0000000..2dea327 --- /dev/null +++ b/CVE-2020-25969.patch @@ -0,0 +1,39 @@ +From 1f36c4fbb3e8e0beb213b4a29ab463e43db9ef42 Mon Sep 17 00:00:00 2001 +From: Ethan A Merritt +Date: Fri, 11 Sep 2020 17:38:55 -0700 +Subject: [PATCH] prevent buffer overflow of enhanced text fragment + +The generic enhanced text buffering uses a shared buffer with fixed length. +Add a check on the current position before adding each character in an +enhanced text fragment. Affects terminals + caca canvas dumb emf gd pc pdf pm tkcanvas x11 win +Does not affect terminals with customized text handling + qt wxt cairo + +Bugs #2310 #2311 +--- + src/term.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/term.c b/src/term.c +index 7fd46fa04..70a2a7f25 100644 +--- a/src/term.c ++++ b/src/term.c +@@ -185,6 +185,7 @@ char *enhanced_cur_text = NULL; + double enhanced_fontscale = 1.0; + char enhanced_escape_format[16] = ""; + double enhanced_max_height = 0.0, enhanced_min_height = 0.0; ++#define ENHANCED_TEXT_MAX (&enhanced_text[MAX_LINE_LEN]) + /* flag variable to disable enhanced output of filenames, mainly. */ + TBOOLEAN ignore_enhanced_text = FALSE; + +@@ -2021,6 +2022,9 @@ test_term() + void + do_enh_writec(int c) + { ++ /* Guard against buffer overflow */ ++ if (enhanced_cur_text >= ENHANCED_TEXT_MAX) ++ return; + /* note: c is meant to hold a char, but is actually an int, for + * the same reasons applying to putc() and friends */ + *enhanced_cur_text++ = c; diff --git a/gnuplot.spec b/gnuplot.spec index 1bd4369..5d5c3b8 100644 --- a/gnuplot.spec +++ b/gnuplot.spec @@ -2,7 +2,7 @@ Name: gnuplot Summary: a portable command-line driven graphing utility Version: %{major_minor}.6 -Release: 12 +Release: 13 License: gnuplot and MIT URL: http://www.gnuplot.info/ @@ -14,6 +14,7 @@ Patch2: gnuplot-4.6.1-plot-sigsegv.patch Patch3: gnuplot-4.6.4-singlethread.patch Patch4: gnuplot-5.0.6-no-lena.patch Patch5: gnuplot-5.0.6-add-lib-gobject-when-config.patch +Patch6: CVE-2020-25969.patch BuildRequires: cairo-devel latex2html emacs gd-devel giflib-devel libotf libpng-devel BuildRequires: librsvg2 texinfo libX11-devel libXt-devel lua-devel m17n-lib tex-tex4ht @@ -160,5 +161,8 @@ fi %exclude %{_mandir}/man1/%{name}-ja.1* %changelog +* Thu Jul 13 2023 yaoxin - 5.0.6-13 +- Fix CVE-2020-25969 + * Mon Feb 17 2020 Tianfei - 5.0.6-12 - Package init -- Gitee