openSUSE has issued an advisory today (February 26): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CKEZYDL7ZTBAXXRLNGPXPFNXRKWZ3MXC/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from openSUSEWhiteboard: (none) => MGA8TOO, MGA7TOO
Gnuplot has no evident maintainer, so necessarily assigning this bug globally.
Assignee: bugsquad => pkg-bugs
i tested the patches from opensuse ( found in: https://ftp.fau.de/opensuse/update/openSUSE-stable/src/gnuplot-5.2.2-lp152.6.3.1.src.rpm ). The CVE is already fixed in our rpms mga8/mga9
CC: (none) => mageiaVersion: Cauldron => 7
Fix pushed in mga7: src: - gnuplot-5.2.2-5.1.mga7
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from openSUSE => (none)
Package list: gnuplot-5.2.2-5.1.mga7 gnuplot-qt-5.2.2-5.1.mga7 gnuplot-nox-5.2.2-5.1.mga7 gnuplot-mode-5.2.2-5.1.mga7
Whiteboard: MGA8TOO, MGA7TOO => (none)
Advisory: ======================== Updated gnuplot packages fix security vulnerability: Double free when executing print_set_output() (CVE-2020-25559). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25559 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CKEZYDL7ZTBAXXRLNGPXPFNXRKWZ3MXC/
Tested on a mga7 64-bit Plasma system, AMD Phenom II X4 910, Radeon HD 8490 graphics. I installed the current version first, choosing gnuplot-qt, expecting it to need one or more of the others, but was surprised when it didn't want anything. Then I installed gnuplot, which required gnuplot-nox. Went after the updates using QA Repo, with no installation issues. Gnuplot is a very powerful and complex application, with lots of features, far too many for a new user to master in a short amount of time. Fortunately, there are several demo scripts available at http://www.gnuplot.info/demo/ I used a random sample of those to test. As one might expect, the qt version worked better in Plasma than the other one. When running scripts under "gnuplot" there were complaints about canberra not being run that were not present running under gnuplot-qt, but both produced the plots they were supposed to for the demos. But then I decided to try removing gnuplot and gnuplot-nox, as if a user had just installed gnuplot-qt. It didn't work any more. The app would run, but it couldn't execute the demo scripts. On a hunch, I re-installed gnuplot-nox. That fixed it. Gnuplot-qt now ran the demo scripts with no problems. Looks to me like we have a missing dependency issue here, meaning that gnuplot-nox should be a dependency of gnuplot-qt like it is for gnuplot. And since this issue was also true for the existing gnuplot-qt, I would suspect that the mga8 and Cauldron versions are also affected.
CC: (none) => andrewsfarm
I just checked a Mageia 8 Plasma install, and gnuplot-qt has both gnuplot and gnuplot-nox as dependencies. But, checking on a 32-bit Mageia 7 Plasma install, I see the same situation as I saw with the 64-bit packages. So then it would appear that mga7 is probably the only one affected, but on both arches. That should make it easier to take care of, I would think.
Looking for a little guidance here. While my tests show that this update is working with the security patches, they have revealed a previously unknown dependency issue: MGA7's gnuplot-qt is missing a dependency to gnuplot-nox, and probably one to gnuplot as well. Consequently, if a Plasma user installs gnuplot-qt without those dependencies, it will not work properly. It seems to me we could go two ways here. We can send this on its way because of the security issue and file a new bug report on the dependency issue, or we can fix the dependency problem now. Which way is best?
Keywords: (none) => feedback
Normally we'd ok/validate the update and open a new bug report for the problem, assuming it's not a regression. If it's a regression then the update is rejected until fixed.
CC: (none) => davidwhodgins
OK, thanks. OKing, and validating. Advisory in Comment 5.
Keywords: feedback => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
See Bug 28553 for the dependency issue.
This has not been pushed before 28553 comes to 7/updates_testing. So, packages tested here are gone. Closing this, adding advisory there in 28553.
Resolution: (none) => WONTFIXCC: (none) => ouaurelienWhiteboard: MGA7-64-OK => (none)CVE: (none) => CVE-2020-25559Status: NEW => RESOLVEDKeywords: validated_update => (none)
Don't close it as WONTFIX.
Status: RESOLVED => REOPENEDResolution: WONTFIX => (none)Depends on: (none) => 28553
Assignee: qa-bugs => geiger.david68210
Fixed: https://advisories.mageia.org/MGASA-2021-0127.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED