Believed fixed in Debian package 1.76.0-1
Status of various vulnerabilities, as per upstream:
* CVE-2018-7442: potential injection attack because '/' is allowed
in gplot rootdir.
Functions using this command have been disabled by default in the
distribution, starting with 1.76.0. As for the specific issue, it
is impossible to specify a general path without using the standard
directory subdivider '/'.
* CVE-2018-7186: number of characters not limited in fscanf or
sscanf,
allowing possible attack with buffer overflow.
This has been fixed in 1.75.3.
* CVE-2018-3836: command injection vulnerability in
gplotMakeOutput().
This has been fixed in 1.75.3, using stringCheckForChars() to
block
rootnames containing any of: ;&|>"?*$()/<
* CVE-2017-18196: duplicated path components.
This was fixed in 1.75.3.
* CVE-2018-7441: hardcoded /tmp pathnames.
These are all wrapped in special debug functions that are not
enabled by default in the distribution, starting with 1.76.0.
* CVE-2018-7247: input 'rootname' can overflow a buffer.
This was fixed in 1.76.0, using snprintf().
* CVE-2018-7440: command injection in gplotMakeOutput using
$(command).
Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
