Package: gnuplot
Version: 4.0.0-2
Severity: important
There's a buffer overflow in one part of the patch:
+++ gnuplot-4.0.0/src/term.c
...
+ char *binname = "/gnuplot_x11";
+ char *fullname;
...
+ fullname = (char*)malloc(sizeof(X11_DRIVER_DIR) + sizeof(binname) + 1);
+ strcat(fullname, X11_DRIVER_DIR);
+ strcat(fullname, binname);
sizeof(binname) will return only 4. (the size of the poiner)
So strcat() will write over unallocated memory.
Please either use strlen() for binname and X11_DRIVER_DIR,
or just asprintf().
I am not sure, if this can be exploited and if it could, if
it is a security issue.
Elrond
p.s.: Can you please remove changelog.latin1 from the
debian .diff.gz?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]