diff options
| -rw-r--r-- | meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch | 95 | ||||
| -rw-r--r-- | meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb | 1 |
2 files changed, 96 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch new file mode 100644 index 0000000000..c783d75180 --- /dev/null +++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch | |||
| @@ -0,0 +1,95 @@ | |||
| 1 | From c625576a4e086f8e3ad6f23559052494465722c6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ethan A Merritt <merritt@u.washington.edu> | ||
| 3 | Date: Tue, 14 Jan 2025 21:23:19 -0800 | ||
| 4 | Subject: [PATCH] use snprintf to protect against garbage user-supplied mouse | ||
| 5 | format | ||
| 6 | |||
| 7 | Bug 2754 | ||
| 8 | |||
| 9 | CVE: CVE-2025-31178 | ||
| 10 | Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/] | ||
| 11 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
| 12 | --- | ||
| 13 | src/mouse.c | 19 +++++++++---------- | ||
| 14 | 1 file changed, 9 insertions(+), 10 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/src/mouse.c b/src/mouse.c | ||
| 17 | index ef8f14d71..1571144ce 100644 | ||
| 18 | --- a/src/mouse.c | ||
| 19 | +++ b/src/mouse.c | ||
| 20 | @@ -168,7 +168,7 @@ static void alert(void); | ||
| 21 | static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2); | ||
| 22 | static char *xy_format(void); | ||
| 23 | static char *zoombox_format(void); | ||
| 24 | -static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt); | ||
| 25 | +static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt); | ||
| 26 | static char *xDateTimeFormat(double x, char *b, int mode); | ||
| 27 | static void GetRulerString(char *p, double x, double y); | ||
| 28 | static void apply_zoom(struct t_zoom * z); | ||
| 29 | @@ -418,7 +418,7 @@ zoombox_format() | ||
| 30 | /* formats the information for an annotation (middle mouse button clicked) | ||
| 31 | */ | ||
| 32 | static char * | ||
| 33 | -GetAnnotateString(char *s, double x, double y, int mode, char *fmt) | ||
| 34 | +GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt) | ||
| 35 | { | ||
| 36 | if (axis_array[FIRST_X_AXIS].datatype == DT_DMS | ||
| 37 | || axis_array[FIRST_Y_AXIS].datatype == DT_DMS) { | ||
| 38 | @@ -473,11 +473,11 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt) | ||
| 39 | r = rmin + x/cos(phi); | ||
| 40 | |||
| 41 | if (fmt) | ||
| 42 | - sprintf(s, fmt, theta, r); | ||
| 43 | + snprintf(s, len, fmt, theta, r); | ||
| 44 | else | ||
| 45 | sprintf(s, "theta: %.1f%s r: %g", theta, degree_sign, r); | ||
| 46 | } else if ((mode == MOUSE_COORDINATES_ALT) && fmt) { | ||
| 47 | - sprintf(s, fmt, x, y); /* user defined format */ | ||
| 48 | + snprintf(s, len, fmt, x, y); /* user defined format */ | ||
| 49 | } else if (mode == MOUSE_COORDINATES_FUNCTION) { | ||
| 50 | /* EXPERIMENTAL !!! */ | ||
| 51 | t_value original_x, original_y; | ||
| 52 | @@ -500,7 +500,7 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt) | ||
| 53 | gpfree_string(&readout); | ||
| 54 | } else { | ||
| 55 | /* Default format ("set mouse mouseformat" is not active) */ | ||
| 56 | - sprintf(s, xy_format(), x, y); /* usual x,y values */ | ||
| 57 | + snprintf(s, len, xy_format(), x, y); /* usual x,y values */ | ||
| 58 | } | ||
| 59 | return s + strlen(s); | ||
| 60 | } | ||
| 61 | @@ -886,10 +886,10 @@ UpdateStatuslineWithMouseSetting(mouse_setting_t * ms) | ||
| 62 | strcat(format, ms->fmt); | ||
| 63 | strcat(format, ", "); | ||
| 64 | strcat(format, ms->fmt); | ||
| 65 | - sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); | ||
| 66 | + snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale); | ||
| 67 | } else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) { | ||
| 68 | /* only first X and Y axis are in use */ | ||
| 69 | - sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 70 | + sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 71 | if (ruler.on) | ||
| 72 | GetRulerString(sp, real_x, real_y); | ||
| 73 | } else { | ||
| 74 | @@ -2116,7 +2116,7 @@ event_buttonrelease(struct gp_event_t *ge) | ||
| 75 | * only place, if the user didn't drag (rotate) the plot */ | ||
| 76 | |||
| 77 | if (!is_3d_plot || !motion) { | ||
| 78 | - GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 79 | + GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 80 | term->set_clipboard(s0); | ||
| 81 | if (display_ipc_commands()) { | ||
| 82 | fprintf(stderr, "put `%s' to clipboard.\n", s0); | ||
| 83 | @@ -2129,8 +2129,7 @@ event_buttonrelease(struct gp_event_t *ge) | ||
| 84 | * only done if the user didn't drag (scale) the plot */ | ||
| 85 | |||
| 86 | if (!is_3d_plot || !motion) { | ||
| 87 | - | ||
| 88 | - GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 89 | + GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string); | ||
| 90 | if (mouse_setting.label) { | ||
| 91 | if (modifier_mask & Mod_Ctrl) { | ||
| 92 | remove_label(mouse_x, mouse_y); | ||
| 93 | -- | ||
| 94 | 2.43.0 | ||
| 95 | |||
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb index 18f98aa503..7dfe4b6657 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb | |||
| @@ -18,6 +18,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a | |||
| 18 | file://CVE-2025-3359.patch \ | 18 | file://CVE-2025-3359.patch \ |
| 19 | file://CVE-2025-31176.patch \ | 19 | file://CVE-2025-31176.patch \ |
| 20 | file://CVE-2025-31177.patch \ | 20 | file://CVE-2025-31177.patch \ |
| 21 | file://CVE-2025-31178.patch \ | ||
| 21 | " | 22 | " |
| 22 | SRC_URI:append:class-target = " \ | 23 | SRC_URI:append:class-target = " \ |
| 23 | file://0002-do-not-build-demos.patch \ | 24 | file://0002-do-not-build-demos.patch \ |
