Bug#865214: stretch-pu: package gnuplot/5.0.5+dfsg1-7+deb9u1

Mon, 19 Jun 2017 13:24:21 -0700 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

the following gnuplot version fixes the CVE-2017-9670. Please let me know,
whether it can be upoaded to proposed-updates.

Diff is provided.

Thanks,

Anton

diff -Nru gnuplot-5.0.5+dfsg1/debian/changelog 
gnuplot-5.0.5+dfsg1/debian/changelog
--- gnuplot-5.0.5+dfsg1/debian/changelog        2017-04-03 22:58:59.000000000 
+0200
+++ gnuplot-5.0.5+dfsg1/debian/changelog        2017-06-16 22:35:29.000000000 
+0200
@@ -1,3 +1,10 @@
+gnuplot (5.0.5+dfsg1-7+deb9u1) stretch; urgency=high
+
+  * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670.
+              (Closes: #864901)
+
+ -- Anton Gladky <gl...@debian.org>  Fri, 16 Jun 2017 22:35:29 +0200
+
 gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium
 
   * Team upload.
diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 
gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch
--- gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch   1970-01-01 
01:00:00.000000000 +0100
+++ gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch   2017-06-16 
22:35:29.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix memory corruption vulnerability. CVE-2017-9670
+Author: Ethan Merritt
+Bug-Debian: https://bugs.debian.org/864901
+Origin: 
https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch
+Bug: https://sourceforge.net/p/gnuplot/bugs/1933/
+Reviewed-By: Anton Gladky <gl...@debian.org>
+Last-Update: 2017-06-16
+
+--- gnuplot-5.0.5+dfsg1.orig/src/set.c
++++ gnuplot-5.0.5+dfsg1/src/set.c
+@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis)
+ 
+     if (!equals(c_token, ",")) {
+       /* only step specified */
++      incr_token = c_token;
+       incr = start;
+       start = -VERYLARGE;
+       end = VERYLARGE;
diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/series 
gnuplot-5.0.5+dfsg1/debian/patches/series
--- gnuplot-5.0.5+dfsg1/debian/patches/series   2017-04-03 22:54:50.000000000 
+0200
+++ gnuplot-5.0.5+dfsg1/debian/patches/series   2017-06-16 22:35:29.000000000 
+0200
@@ -6,3 +6,4 @@
 11_fix_linkage_wx.patch
 13_honour_SOURCE_DATE_EPOCH.patch
 14_strip_username_from_output.patch
+20_CVE-2017-9670.patch

Reply via email to