1882322 – (CVE-2020-25412) CVE-2020-25412 gnuplot: out-of-bounds-write from strncpy() may lead to arbitrary code execution

Bug 1882322 (CVE-2020-25412) - CVE-2020-25412 gnuplot: out-of-bounds-write from strncpy() may lead to arbitrary code execution

Summary: CVE-2020-25412 gnuplot: out-of-bounds-write from strncpy() may lead to arbitr...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-25412
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1882324
Blocks:	1882326
TreeView+	depends on / blocked

Reported:	2020-09-24 10:32 UTC by Marian Rehak
Modified:	2023-09-25 06:14 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in gnuplot. An execution path from com_line() in command.c results in strncpy() being called with an incorrect length, causing an out-of-bounds write. A local attacker could exploit this flaw by passing a specially crafted input file to gnuplot. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-09-25 20:40:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-09-24 10:32:59 UTC

gnuplot 5.4 is affected by a segmentation fault in com_line () at command.c, which may result in context-dependent arbitrary code execution.

Reference:

https://sourceforge.net/p/gnuplot/bugs/2303/

Comment 1 Marian Rehak 2020-09-24 10:33:31 UTC

Created gnuplot tracking bugs for this issue:

Affects: fedora-all [bug 1882324]

Comment 2 Todd Cullum 2020-09-25 20:12:56 UTC

Statement:

gnuplot as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8 is not affected because the vulnerable code was introduced in a subsequent version of gnuplot.

Comment 3 Product Security DevOps Team 2020-09-25 20:40:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25412

Comment 4 Todd Cullum 2020-09-25 21:29:41 UTC

External References:

Upstream patch: https://github.com/gnuplot/gnuplot/commit/963c7df3e0c5266efff260d0dff757dfe03d3632

Comment 5 Todd Cullum 2020-09-29 14:16:10 UTC

Flaw summary:

An execution path from com_line() in command.c results in strncpy() being called with a length of 0xffffffffffffffff, causing an out-of-bounds write. This was originally described as segfault possibly leading to arbitrary code execution, but we felt that the description should be revised taking into account the cause of the flaw instead of the symptom. If the program segfaults, then it would halt, and thus not lead to arbitrary code execution subsequently.

Note You need to log in before you can comment on or make changes to this bug.