[SECURITY] [DLA 1597-1] gnuplot security update

2018-11-2621:47:32

lists.debian.org

205

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

Package : gnuplot
Version : 4.6.6-2+deb8u1
CVE ID : CVE-2018-19490 CVE-2018-19491 CVE-2018-19492

gnuplot, a command-line driven interactive plotting program, has been
examined with fuzzing by Tim Blazytko, Cornelius Aschermann, Sergej
Schumilo and Nils Bars.
They found various overflow cases which might lead to the execution of
arbitrary code.

Due to special toolchain hardening in Debian, CVE-2018-19492 is not
security relevant, but it is a bug and the patch was applied for the sake
of completeness. Probably some downstream project does not have the same
toolchain settings.

For Debian 8 "Jessie", these problems have been fixed in version
4.6.6-2+deb8u1.

We recommend that you upgrade your gnuplot packages.

OSVersionArchitecturePackageVersionFilename
Debian8allgnuplot< 4.6.6-2+deb8u1gnuplot_4.6.6-2+deb8u1_all.deb
Debian8armelgnuplot-x11< 4.6.6-2+deb8u1gnuplot-x11_4.6.6-2+deb8u1_armel.deb
Debian8i386gnuplot5-nox< 5.0.0~rc+dfsg2-1+deb8u1gnuplot5-nox_5.0.0~rc+dfsg2-1+deb8u1_i386.deb
Debian8amd64gnuplot5-nox< 5.0.0~rc+dfsg2-1+deb8u1gnuplot5-nox_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian8amd64gnuplot5-qt< 5.0.0~rc+dfsg2-1+deb8u1gnuplot5-qt_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian8allgnuplot-doc< 4.6.6-2+deb8u1gnuplot-doc_4.6.6-2+deb8u1_all.deb
Debian8amd64gnuplot-nox< 4.6.6-2+deb8u1gnuplot-nox_4.6.6-2+deb8u1_amd64.deb
Debian8amd64gnuplot5-x11< 5.0.0~rc+dfsg2-1+deb8u1gnuplot5-x11_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian8armhfgnuplot5-qt< 5.0.0~rc+dfsg2-1+deb8u1gnuplot5-qt_5.0.0~rc+dfsg2-1+deb8u1_armhf.deb
Debian8armelgnuplot-qt< 4.6.6-2+deb8u1gnuplot-qt_4.6.6-2+deb8u1_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	gnuplot	< 4.6.6-2+deb8u1	gnuplot_4.6.6-2+deb8u1_all.deb
Debian	8	armel	gnuplot-x11	< 4.6.6-2+deb8u1	gnuplot-x11_4.6.6-2+deb8u1_armel.deb
Debian	8	i386	gnuplot5-nox	< 5.0.0~rc+dfsg2-1+deb8u1	gnuplot5-nox_5.0.0~rc+dfsg2-1+deb8u1_i386.deb
Debian	8	amd64	gnuplot5-nox	< 5.0.0~rc+dfsg2-1+deb8u1	gnuplot5-nox_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian	8	amd64	gnuplot5-qt	< 5.0.0~rc+dfsg2-1+deb8u1	gnuplot5-qt_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian	8	all	gnuplot-doc	< 4.6.6-2+deb8u1	gnuplot-doc_4.6.6-2+deb8u1_all.deb
Debian	8	amd64	gnuplot-nox	< 4.6.6-2+deb8u1	gnuplot-nox_4.6.6-2+deb8u1_amd64.deb
Debian	8	amd64	gnuplot5-x11	< 5.0.0~rc+dfsg2-1+deb8u1	gnuplot5-x11_5.0.0~rc+dfsg2-1+deb8u1_amd64.deb
Debian	8	armhf	gnuplot5-qt	< 5.0.0~rc+dfsg2-1+deb8u1	gnuplot5-qt_5.0.0~rc+dfsg2-1+deb8u1_armhf.deb
Debian	8	armel	gnuplot-qt	< 4.6.6-2+deb8u1	gnuplot-qt_4.6.6-2+deb8u1_armel.deb