Red Hat Bugzilla – Bug 995852
gnuplot: Make gnuplot's NOCWDRC (not to read the content of .gnuplot from CWD at the startup) default
Last modified: 2017-12-06 06:40:52 EST
+++ This bug was initially created as a clone of Bug #995851 +++
Description of problem:
As written in:
or in gnuplot's startup help:
gnuplot> help startup
When `gnuplot` is run, it looks for an initialization file to load.
This file is called `.gnuplot` on Unix and AmigaOS systems, and
`GNUPLOT.INI` on other systems. If this file is not found in the
current directory, the program will look for it in the HOME directory
(under AmigaOS, MS-DOS, Windows and OS/2, the
environment variable `GNUPLOT` should contain the name of this
directory; on Windows NT, it will use `USERPROFILE` if GNUPLOT isn't
defined). Note: if NOCWDRC is defined during the installation,
`gnuplot` will not read from the current directory.
If the initialization file is found, `gnuplot` executes the commands in it.
These may be any legal `gnuplot` commands, but typically they are limited to
setting the terminal and defining frequently-used functions or variables.
when 'NOCWDRC' is not defined in the moment of gnuplot's startup, gnuplot tries to load content of .gnuplot file from current working directory. Since when run from untrusted directory, this might be dangerous, that feature (loading of .gnuplot content from CWD) should be disabled in the default configuration (=> 'NOCWDRC' option should be used).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Define some gnuplot commands (even to run some system ones) into .gnuplot file in CWD
2. Run gnuplot
Commands from .gnuplot in CWD are executed by gnuplot startup.
Commands aren't executed.
This is not a security flaw, since above behaviour is documented in gnuplot startup help and/or in upstream documentation.
Anyway, the more secure (not to load .gnuplot from CWD at startup) behaviour should be used.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
The official life cycle policy can be reviewed here:
This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: