Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id
<c4d20274f6d76a43fb574d2177f6e3af4235e4be.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1002619,
regarding bullseye-pu: package gnuplot/gnuplot_5.4.1+dfsg1-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1002619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002619
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
[ Reason ]
gnuplot_5.4.1+dfsg1-1+deb11u1 is fixing security issue CVE-2021-44917.
Please include it into the bullseye.
[ Impact ]
Security issue
[ Tests ]
Done on CI and locally.
[ Risks ]
No risks awaited
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Patch imported from upstream.
Thanks
Anton
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHHZV4RHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/waXwg/+N32dARCRDysGWA2f1KWiP/9slcH00cYQ
Vyja1+nYut1S4HuWv8oWX7dvC9anSj8+I123M3Q7k2kG1iRN0FyydXnxwQT7xU8p
ewS0NJvgO8QLPAS1kAzn72zT6KMnBlIbYoLGuVjnWRpQiCO8P0GJ8pgK7mr1tNN2
2/t+TfD7gvGgpN1ZIxnrpa5wwSBvG/txJqO7sazC6O7NZwRRxzHP5GG1Gn6I6yJP
MparDEkNpSDeZTIo6o6D6g8dnMVIG6ukpWp0aJIHzKpy6a/P3agzglwTyl2V20+L
m06EP4/zureXmAQz8mCA7rvTMo/N6LCRPKVOssNXwnja98kD612icYFhFg+P7tOY
xlhbHVh+E8mEAbbovfaQp0MvlkvrkOwB0KtB8vcSaC0//HU3OsBS4f0g8Gb+fFa6
9OMTuCZ3XUEiNXHOr8P6LyCwK6R+blU1O0nAF8DuC14nR00Wjbi/h6SwuHNvNHEq
WuGwLp2fWDKBd4ViQCMRwI5IcEhi9usW+q3e/X08VuI2t/tb2Nv+5fPbqTzQ6q1w
TD4vQOT8YrTP4i+MKDOUkXoVePidmVNVHmChEgANqCMQfQ85gcHT6ldq1l+GADJ9
pVLZi6qjA3T/ePS70Dox/TAy/saKXO7hQhtlj4V4vKm2EGh0hvZzdS6wkvMHORuq
z6abtXAa96M=
=tBfC
-----END PGP SIGNATURE-----
diff -Nru gnuplot-5.4.1+dfsg1/debian/changelog
gnuplot-5.4.1+dfsg1/debian/changelog
--- gnuplot-5.4.1+dfsg1/debian/changelog 2020-12-03 22:27:21.000000000
+0100
+++ gnuplot-5.4.1+dfsg1/debian/changelog 2021-12-25 19:15:06.000000000
+0100
@@ -1,3 +1,9 @@
+gnuplot (5.4.1+dfsg1-1+deb11u1) bullseye; urgency=medium
+
+ * Fix divide by zero vulnerability. CVE-2021-44917. (Closes: #1002539)
+
+ -- Anton Gladky <gl...@debian.org> Sat, 25 Dec 2021 19:15:06 +0100
+
gnuplot (5.4.1+dfsg1-1) unstable; urgency=medium
* [945257b] New upstream version 5.4.1+dfsg1
diff -Nru gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml
gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml
--- gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml 2020-09-24 23:46:23.000000000
+0200
+++ gnuplot-5.4.1+dfsg1/debian/.gitlab-ci.yml 2021-12-25 19:15:06.000000000
+0100
@@ -1,3 +1,4 @@
include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+variables:
+ RELEASE: 'bullseye'
diff -Nru gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch
gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch
--- gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch 1970-01-01
01:00:00.000000000 +0100
+++ gnuplot-5.4.1+dfsg1/debian/patches/CVE-2021-44917.patch 2021-12-25
19:15:06.000000000 +0100
@@ -0,0 +1,114 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ gnuplot (5.4.2+dfsg2-1) unstable; urgency=medium
+ .
+ * [4370a18] Update d/watch
+ * [7d7c5c0] New upstream version 5.4.2+dfsg1.orig
+ * [97d5d83] Refresh patches
+ * [9d8bbae] Update gitlab.ci
+ * [e168129] Use secure URI in debian/watch.
+ * [08324bf] Bump debhelper from old 12 to 13.
+ * [3a47530] Update standards version to 4.5.1, no changes needed.
+ * [ba4a50d] Avoid explicitly specifying -Wl,--as-needed linker flag.
+ * [9ce752b] Set Standards-Version: 4.6.0
+ * [917e564] Use execute-syntax for some commands in d/rules
+Author: Anton Gladky <gl...@debian.org>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2021-12-25
+
+Index: gnuplot-5.4.1+dfsg1/src/set.c
+===================================================================
+--- gnuplot-5.4.1+dfsg1.orig/src/set.c
++++ gnuplot-5.4.1+dfsg1/src/set.c
+@@ -5058,18 +5058,6 @@ set_terminal()
+ fprintf(stderr,"Options are '%s'\n",term_options);
+ if ((term->flags & TERM_MONOCHROME))
+ init_monochrome();
+-
+- /* Sanity check:
+- * The most common failure mode found by fuzzing is a divide-by-zero
+- * caused by initializing the basic unit of the current terminal character
+- * size to zero. I keep patching the individual terminals, but a generic
+- * sanity check may at least prevent a crash due to mistyping.
+- */
+- if (term->h_char <= 0 || term->v_char <= 0) {
+- int_warn(NO_CARET, "invalid terminal font size");
+- term->h_char = 10;
+- term->v_char = 10;
+- }
+ }
+
+
+Index: gnuplot-5.4.1+dfsg1/src/term.c
+===================================================================
+--- gnuplot-5.4.1+dfsg1.orig/src/term.c
++++ gnuplot-5.4.1+dfsg1/src/term.c
+@@ -235,6 +235,7 @@ static void UNKNOWN_null(void);
+ static void MOVE_null(unsigned int, unsigned int);
+ static void LINETYPE_null(int);
+ static void PUTTEXT_null(unsigned int, unsigned int, const char *);
++static TBOOLEAN sanity_check_font_size(void);
+
+ static int strlen_tex(const char *);
+
+@@ -516,6 +517,8 @@ term_start_plot()
+ term_suspended = FALSE;
+ }
+
++ sanity_check_font_size();
++
+ if (multiplot)
+ multiplot_count++;
+
+@@ -2920,3 +2923,21 @@ escape_reserved_chars(const char *str, c
+
+ return escaped_str;
+ }
++
++/* Sanity check:
++ * The most common program failure mode found by fuzzing is a divide-by-zero
++ * caused by initializing the basic unit of the current terminal character
++ * size to zero. I keep patching individual terminals, but a generic
++ * sanity check may at least prevent a crash due to typos.
++ */
++static TBOOLEAN
++sanity_check_font_size()
++{
++ if (!(0 < term->v_char && term->v_char < term->ymax)
++ || !(0 < term->h_char && term->h_char < term->xmax)) {
++ int_warn(NO_CARET, "Invalid terminal font size");
++ term->v_char = term->h_char = 10;
++ return FALSE;
++ }
++ return TRUE;
++}
+\ No newline at end of file
+Index: gnuplot-5.4.1+dfsg1/term/emf.trm
+===================================================================
+--- gnuplot-5.4.1+dfsg1.orig/term/emf.trm
++++ gnuplot-5.4.1+dfsg1/term/emf.trm
+@@ -805,7 +805,7 @@ EMF_options()
+ new_defaultfontsize = real_expression();
+ }
+
+- if (new_defaultfontsize > 0)
++ if ((0 < new_defaultfontsize) && (new_defaultfontsize < 999))
+ emf_defaultfontsize = new_defaultfontsize;
+
+ sprintf(term_options, "%s %s font \"%s,%g\"",
diff -Nru gnuplot-5.4.1+dfsg1/debian/patches/series
gnuplot-5.4.1+dfsg1/debian/patches/series
--- gnuplot-5.4.1+dfsg1/debian/patches/series 2019-10-17 20:27:54.000000000
+0200
+++ gnuplot-5.4.1+dfsg1/debian/patches/series 2021-12-25 18:00:52.000000000
+0100
@@ -5,3 +5,4 @@
10_removepicins.patch
11_fix_linkage_wx.patch
13_honour_SOURCE_DATE_EPOCH.patch
+CVE-2021-44917.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.3
Hi,
The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.
Regards,
Adam
--- End Message ---
