Bug#864901: gnuplot: CVE-2017-9670: uninitialized stack variable vulnerability could lead to a Denial of Service
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 16 19:09:09 UTC 2017
Source: gnuplot
Version: 5.0.5+dfsg1-6
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/gnuplot/bugs/1933/
Hi,
the following vulnerability was published for gnuplot.
CVE-2017-9670[0]:
| An uninitialized stack variable vulnerability in load_tic_series() in
| set.c in gnuplot 5.2.rc1 allows an attacker to cause Denial of Service
| (Segmentation fault and Memory Corruption) or possibly have unspecified
| other impact when a victim opens a specially crafted file.
AFAICT, it has been introduced with [2], as per [3], and fixed in [4].
Please double check and adjust the affected versions in the BTS as
needed if I got it actually wrong and older versions are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9670
[1] https://sourceforge.net/p/gnuplot/bugs/1933/
[2] https://github.com/gnuplot/gnuplot/commit/cd4b777389379598740fc02decff772b0e7bcbd6
[3] https://bugzilla.novell.com/show_bug.cgi?id=1044638#c5
[4] https://github.com/gnuplot/gnuplot/commit/4e39b1d7b274c7d4a69cbaba85ff321264f4457e
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list