Bug#985248: gnuplot: format string bug in PS_load_fontfile()

Wooseok Kang kangwoosuk1 at gmail.com
Mon Mar 15 02:33:00 GMT 2021


Package: gnuplot
Version: 5.4.1+dfsg1-1
Severity: normal
X-Debbugs-Cc: kangwoosuk1 at gmail.com

Dear Maintainer,

In gnuplot, there is a format string vulnerability
that can lead to read and write arbitrary memory values.

In term/post.trm, the program get string from getenv() and pass it to sprintf() directly in line 1420.
This causes the format string bug which can crash the program.

1420 envcmd = getenv("GNUPLOT_TTFTOPFA");
1421 if (envcmd != NULL)
1422     sprintf(cmd,envcmd,current_ps_fontfile->fontfile_fullname);

Thank you.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages gnuplot depends on:
ii  gnuplot-qt [gnuplot-x11]  5.4.1+dfsg1-1

gnuplot recommends no packages.

Versions of packages gnuplot suggests:
pn  gnuplot-doc  <none>

-- no debconf information



More information about the debian-science-maintainers mailing list