gnuplot: fix CVE-2020-25412 and CVE-2020-255519

Bump revision. Patches painfully pulled out of upstream's git.
NetBSD · Sep 22, 2020 · 98d1a50 · 98d1a50
1 parent 692c7fd
commit 98d1a50
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/graphics/gnuplot/Makefile b/graphics/gnuplot/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.145 2020/08/18 17:58:01 leot Exp $
+# $NetBSD: Makefile,v 1.146 2020/09/22 19:08:55 bsiegert Exp $
 
 DISTNAME=	gnuplot-5.2.8
-PKGREVISION=	9
+PKGREVISION=	10
 CATEGORIES+=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=gnuplot/}
 

diff --git a/graphics/gnuplot/distinfo b/graphics/gnuplot/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.42 2019/12/05 18:42:05 adam Exp $
+$NetBSD: distinfo,v 1.43 2020/09/22 19:08:55 bsiegert Exp $
 
 SHA1 (gnuplot-5.2.8.tar.gz) = dc018b1e0a31b770d4635958badff13498babc4d
 RMD160 (gnuplot-5.2.8.tar.gz) = 1048f333f14be3f27bd8a6fa866371c6308f4f5d
@@ -8,4 +8,5 @@ SHA1 (patch-configure) = 0881a50206c9796a2f34b93b72f6cd6eae127a15
 SHA1 (patch-src_gp__hist.h) = b1549572ba1bacad5ae76e7a5a6b632e693b74a7
 SHA1 (patch-src_plot.c) = a91ef7ff92917c54e37f3cca765e92d9857a47a5
 SHA1 (patch-src_readline.h) = ae138bb783a5a5e68f89850cdd861cc545399aaf
+SHA1 (patch-src_term.c) = 5bf2d0fad2100aded705c7a17a9cf321a3b9946d
 SHA1 (patch-src_variable.c) = 90a9372c715791efe42bc019025aa61fb5ece80c
diff --git a/graphics/gnuplot/patches/patch-src_term.c b/graphics/gnuplot/patches/patch-src_term.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-src_term.c,v 1.1 2020/09/22 19:08:55 bsiegert Exp $
+
+Fix for CVE-2020-25559 and CVE-2020-25412, from upstream
+
+--- src/term.c.orig	2019-11-19 21:57:18.000000000 +0000
++++ src/term.c
+@@ -191,6 +191,7 @@ char *enhanced_cur_text = NULL;
+ double enhanced_fontscale = 1.0;
+ char enhanced_escape_format[16] = "";
+ double enhanced_max_height = 0.0, enhanced_min_height = 0.0;
++#define ENHANCED_TEXT_MAX (&enhanced_text[MAX_LINE_LEN])
+ /* flag variable to disable enhanced output of filenames, mainly. */
+ TBOOLEAN ignore_enhanced_text = FALSE;
+
+@@ -2207,6 +2208,9 @@ fflush_binary()
+ void
+ do_enh_writec(int c)
+ {
++    /* Guard against buffer overflow */
++    if (enhanced_cur_text >= ENHANCED_TEXT_MAX)
++	return;
+     /* note: c is meant to hold a char, but is actually an int, for
+      * the same reasons applying to putc() and friends */
+     *enhanced_cur_text++ = c;
+@@ -2361,7 +2365,7 @@ enhanced_recursion(
+ 			    ++p;
+ 			if (*p != *start_of_fontname) {
+ 			    int_warn(NO_CARET, "cannot interpret font name %s", start_of_fontname);
+-			    p = start_of_fontname;
++			    break;
+ 			}
+ 			start_of_fontname++;
+ 			end_of_fontname = p++;