Package: release.debian.org Severity: normal Tags: security upstream patch User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gnuplot it fixes CVE-2017-9670. The fix is trivial. Patch is attached. unblock gnuplot/5.0.5+dfsg1-7 The diff is attached. Thanks Anton
diff --git a/debian/changelog b/debian/changelog index 3705f0e..a27d6a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +gnuplot (5.0.5+dfsg1-7) unstable; urgency=high + + * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. + (Closes: #864901) + + -- Anton Gladky <gl...@debian.org> Fri, 16 Jun 2017 22:35:29 +0200 + gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium * Team upload. diff --git a/debian/patches/20_CVE-2017-9670.patch b/debian/patches/20_CVE-2017-9670.patch new file mode 100644 index 0000000..482ea7e --- /dev/null +++ b/debian/patches/20_CVE-2017-9670.patch @@ -0,0 +1,18 @@ +Description: Fix memory corruption vulnerability. CVE-2017-9670 +Author: Ethan Merritt +Bug-Debian: https://bugs.debian.org/864901 +Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch +Bug: https://sourceforge.net/p/gnuplot/bugs/1933/ +Reviewed-By: Anton Gladky <gl...@debian.org> +Last-Update: 2017-06-16 + +--- gnuplot-5.0.5+dfsg1.orig/src/set.c ++++ gnuplot-5.0.5+dfsg1/src/set.c +@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis) + + if (!equals(c_token, ",")) { + /* only step specified */ ++ incr_token = c_token; + incr = start; + start = -VERYLARGE; + end = VERYLARGE; diff --git a/debian/patches/series b/debian/patches/series index 94e0bfa..3c19808 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ 11_fix_linkage_wx.patch 13_honour_SOURCE_DATE_EPOCH.patch 14_strip_username_from_output.patch +20_CVE-2017-9670.patch
