Hi Cyril, thank you for the extended answer and useful information! Please find an attached patch with the fixed changelog number.
Best regards Anton On 06/25/2017 11:09 PM, Cyril Brulebois wrote: > Hi, > > Anton Gladky <gl...@debian.org> (2017-06-19): >> Package: release.debian.org >> Severity: normal >> Tags: stretch >> User: release.debian....@packages.debian.org >> Usertags: pu >> >> Dear release team, >> >> the following gnuplot version fixes the CVE-2017-9670. Please let me >> know, whether it can be upoaded to proposed-updates. > > Looking at the security tracker, it looks like this was decided this was > going to be a no-dsa fix, but feel free to mention this upfront in your > next pu requests. :) > > Anyway, looking at the diff: the version number isn't appropriate, as > stretch has 5.0.5+dfsg1-6, you should be uploading 5.0.5+dfsg1-6+deb9u1. > Alternatively, if you were going to backport 5.0.5+dfsg1-7 from testing, > you could use 5.0.5+dfsg1-7~deb9u1, but then this should be on top of > the 5.0.5+dfsg1-7 changelog entry. > > Either way, please provide an updated debdiff with a proper version (for > a simple patch like this, I think the first solution would have a slight > preference on my side → 5.0.5+dfsg1-6+deb9u1). > > Thanks already. > > > KiBi. >
diff -Nru gnuplot-5.0.5+dfsg1/debian/changelog gnuplot-5.0.5+dfsg1/debian/changelog --- gnuplot-5.0.5+dfsg1/debian/changelog 2017-04-03 22:58:59.000000000 +0200 +++ gnuplot-5.0.5+dfsg1/debian/changelog 2017-06-16 22:35:29.000000000 +0200 @@ -1,3 +1,10 @@ +gnuplot (5.0.5+dfsg1-6+deb9u1) stretch; urgency=high + + * [02931b6] Fix memory corruption vulnerability. CVE-2017-9670. + (Closes: #864901) + + -- Anton Gladky <gl...@debian.org> Fri, 16 Jun 2017 22:35:29 +0200 + gnuplot (5.0.5+dfsg1-6) unstable; urgency=medium * Team upload. diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch --- gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnuplot-5.0.5+dfsg1/debian/patches/20_CVE-2017-9670.patch 2017-06-16 22:35:29.000000000 +0200 @@ -0,0 +1,18 @@ +Description: Fix memory corruption vulnerability. CVE-2017-9670 +Author: Ethan Merritt +Bug-Debian: https://bugs.debian.org/864901 +Origin: https://sourceforge.net/p/gnuplot/bugs/_discuss/thread/44ec637c/af0f/attachment/uninitialized_variables_%28Bug1933%29.patch +Bug: https://sourceforge.net/p/gnuplot/bugs/1933/ +Reviewed-By: Anton Gladky <gl...@debian.org> +Last-Update: 2017-06-16 + +--- gnuplot-5.0.5+dfsg1.orig/src/set.c ++++ gnuplot-5.0.5+dfsg1/src/set.c +@@ -5926,6 +5926,7 @@ load_tic_series(AXIS_INDEX axis) + + if (!equals(c_token, ",")) { + /* only step specified */ ++ incr_token = c_token; + incr = start; + start = -VERYLARGE; + end = VERYLARGE; diff -Nru gnuplot-5.0.5+dfsg1/debian/patches/series gnuplot-5.0.5+dfsg1/debian/patches/series --- gnuplot-5.0.5+dfsg1/debian/patches/series 2017-04-03 22:54:50.000000000 +0200 +++ gnuplot-5.0.5+dfsg1/debian/patches/series 2017-06-16 22:35:29.000000000 +0200 @@ -6,3 +6,4 @@ 11_fix_linkage_wx.patch 13_honour_SOURCE_DATE_EPOCH.patch 14_strip_username_from_output.patch +20_CVE-2017-9670.patch
signature.asc
Description: OpenPGP digital signature