Bug 1882322 (CVE-2020-25412)

Summary: CVE-2020-25412 gnuplot: out-of-bounds-write from strncpy() may lead to arbitrary code execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkucera, orion, pcahyna
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in gnuplot. An execution path from com_line() in command.c results in strncpy() being called with an incorrect length, causing an out-of-bounds write. A local attacker could exploit this flaw by passing a specially crafted input file to gnuplot. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-25 20:40:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1882324    
Bug Blocks: 1882326    

Description Marian Rehak 2020-09-24 10:32:59 UTC 
gnuplot 5.4 is affected by a segmentation fault in com_line () at command.c, which may result in context-dependent arbitrary code execution.

Reference:

https://sourceforge.net/p/gnuplot/bugs/2303/
Comment 1 Marian Rehak 2020-09-24 10:33:31 UTC 
Created gnuplot tracking bugs for this issue:

Affects: fedora-all [bug 1882324]
Comment 2 Todd Cullum 2020-09-25 20:12:56 UTC 
Statement:

gnuplot as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 is not affected because the vulnerable code was introduced in a subsequent version of gnuplot.
Comment 3 Product Security DevOps Team 2020-09-25 20:40:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25412
Comment 4 Todd Cullum 2020-09-25 21:29:41 UTC 
External References:

Upstream patch: https://github.com/gnuplot/gnuplot/commit/963c7df3e0c5266efff260d0dff757dfe03d3632
Comment 5 Todd Cullum 2020-09-29 14:16:10 UTC 
Flaw summary:

An execution path from com_line() in command.c results in strncpy() being called with a length of 0xffffffffffffffff, causing an out-of-bounds write. This was originally described as segfault possibly leading to arbitrary code execution, but we felt that the description should be revised taking into account the cause of the flaw instead of the symptom. If the program segfaults, then it would halt, and thus not lead to arbitrary code execution subsequently.