[meta-oe][scarthgap][PATCH 1/7] gnuplot: fix CVE-2025-3359

[meta-oe][scarthgap][PATCH 1/7] gnuplot: fix CVE-2025-3359

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-3359:
A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal
may jeopardize the environment.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-3359]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-3359.patch       | 67 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
new file mode 100644
index 0000000000..d2de00ec6d
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
@@ -0,0 +1,67 @@
+From 997b4ee68275664b94e0c881ace5121d79c0c29c Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 25 Mar 2025 22:51:54 -0700
+Subject: [PATCH] hpgl: font name parsing overruns the string by one char
+
+if no comma is present in the font name.
+E.g.
+   set term pcl
+   set title "Title" font "sans"    # no comma in font name
+   plot x
+
+Bug 2781
+
+CVE: CVE-2025-3359
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/hpgl.trm | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/term/hpgl.trm b/term/hpgl.trm
+index 04088977d..fdb4c7083 100644
+--- a/term/hpgl.trm
++++ b/term/hpgl.trm
+@@ -1650,28 +1650,22 @@ TERM_PUBLIC int
+ HPGL2_set_font(const char *font)
+ {
+     char name[MAX_ID_LEN + 1];
+-    int sep;
+-    int int_size;
+-    double size;
++    char *sep;
++    double size = HPGL2_point_size;
+ 
+     if (font == NULL)
+ 	font = "";
+ 
+-    sep = strcspn(font, ",");
+-    strncpy(name, font, sizeof(name));
+-
+-    if (sep < sizeof(name))
+-	name[sep] = NUL;
+-
+-/* determine font size, use default from options if invalid */
+-    int_size = 0;
+-    /* FIXME: use strtod instead */
+-    sscanf(&(font[sep + 1]), "%d", &int_size);
+-    if (int_size > 0)
+-	size = int_size;
+-    else
+-	size = HPGL2_point_size;
++    safe_strncpy(name, font, sizeof(name));
+ 
++    /* determine font size, use default from options if invalid */
++    sep = strchr(font, ',');
++    if (sep) {
++	double req_size = strtod(sep+1, NULL);
++	if (req_size > 0)
++	    size = req_size;
++	*sep = '\0';
++    }
+     return HPGL2_set_font_size(name, size);
+ }
+ 
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index fe5e5c067d..eff2ccc98c 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            http://www.mneuroth.de/privat/zaurus/qtplot-0.2.tar.gz;name=qtplot \
            file://gnuplot.desktop \
            file://gnuplot.png \
+           file://CVE-2025-3359.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 2/7] gnuplot: fix CVE-2025-31176

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31176:
A flaw was found in gnuplot. The plot3d_points() function may lead to a segmentation
fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31176]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31176.patch      | 86 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch
new file mode 100644
index 0000000000..7fdabff476
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch
@@ -0,0 +1,86 @@
+From d0664704daa46d2e4440c0c50057d0dfa47467ea Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 11 Mar 2025 12:31:54 -0700
+Subject: [PATCH] guard against invalid read from plot->labels
+
+If a plot style uses points and the point chosen has PT_CHARACTER
+then the program looks for a possible font in plot->labels->font.
+These plot styles contain a flag bit HAS_POINT (gp_types.h).
+The program makes sure to initialize plot->labels for these styles.
+However a problem arises when a plot style that doesn't use points
+nevertheless triggers this same attempted font lookup by using a
+linetype that happens to use pointtype PT_CHARACTER.
+I think this is only possible with 'splot' but I added parallel
+checks for 'plot' as well.
+
+Bug 2776
+
+CVE: CVE-2025-31176
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/boundary.c | 2 +-
+ src/graph3d.c  | 4 ++--
+ src/graphics.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/boundary.c b/src/boundary.c
+index fd2ac86f4..60dbce042 100644
+--- a/src/boundary.c
++++ b/src/boundary.c
+@@ -1440,7 +1440,7 @@ do_key_sample_point(
+ 	    (*t->pointsize)(pointsize);
+ 	if (on_page(xl + key_point_offset, yl)) {
+ 	    if (this_plot->lp_properties.p_type == PT_CHARACTER) {
+-		if (this_plot->labels->textcolor.type != TC_DEFAULT)
++		if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT)
+ 		    apply_pm3dcolor(&(this_plot->labels->textcolor));
+ 		(*t->put_text) (xl + key_point_offset, yl, 
+ 				this_plot->lp_properties.p_char);
+diff --git a/src/graph3d.c b/src/graph3d.c
+index 0d3ca7221..48b02f580 100644
+--- a/src/graph3d.c
++++ b/src/graph3d.c
+@@ -2016,7 +2016,7 @@ plot3d_points(struct surface_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -2111,7 +2111,7 @@ plot3d_points(struct surface_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+diff --git a/src/graphics.c b/src/graphics.c
+index bdbebe92a..2b500b12b 100644
+--- a/src/graphics.c
++++ b/src/graphics.c
+@@ -2353,7 +2353,7 @@ plot_points(struct curve_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -2475,7 +2475,7 @@ plot_points(struct curve_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index eff2ccc98c..18722b3641 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://gnuplot.desktop \
            file://gnuplot.png \
            file://CVE-2025-3359.patch \
+           file://CVE-2025-31176.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 3/7] gnuplot: fix CVE-2025-31177

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31177:
gnuplot is affected by a heap buffer overflow at function utf8_copy_one.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31177]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/226809aebb345e74d371bb43a2b434b490be527a/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31177.patch      | 40 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch
new file mode 100644
index 0000000000..dcacf538b2
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch
@@ -0,0 +1,40 @@
+From 36a4355010a81a78cf9df03d3c76dcd599ed994b Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Wed, 15 Jan 2025 11:56:13 -0800
+Subject: [PATCH] dumb:  more stringent tests against y bound of dumb terminal
+ charcell array
+
+Bug 2756
+
+CVE: CVE-2025-31177
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/226809aebb345e74d371bb43a2b434b490be527a/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/dumb.trm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/term/dumb.trm b/term/dumb.trm
+index c93afb94e..bb22ca25f 100644
+--- a/term/dumb.trm
++++ b/term/dumb.trm
+@@ -637,7 +637,7 @@ DUMB_put_text(unsigned int x, unsigned int y, const char *str)
+ {
+     int i, length;
+ 
+-    if (y > dumb_ymax)
++    if (y < 0 || y > dumb_ymax)
+ 	return;
+ 
+     length = gp_strlen(str);
+@@ -784,7 +784,7 @@ ENHdumb_FLUSH()
+ 	y += i;
+ 
+ 	/* print the string fragment, perhaps invisibly */
+-	if (ENHdumb_show && y < dumb_ymax) {
++	if (ENHdumb_show && (0 <= y && y < dumb_ymax)) {
+ #ifdef DUMB_UTF8
+ 	    for (i = 0; i < len && x < dumb_xmax; i++, x++) {
+ 		utf8_copy_one( (char *)(&DUMB_PIXEL(x, y)), gp_strchrn(str,i));
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index 18722b3641..18f98aa503 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://gnuplot.png \
            file://CVE-2025-3359.patch \
            file://CVE-2025-31176.patch \
+           file://CVE-2025-31177.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 4/7] gnuplot: fix CVE-2025-31178

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31178:
A flaw was found in gnuplot. The GetAnnotateString() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31178]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31178.patch      | 95 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 96 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch
new file mode 100644
index 0000000000..c783d75180
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch
@@ -0,0 +1,95 @@
+From c625576a4e086f8e3ad6f23559052494465722c6 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 14 Jan 2025 21:23:19 -0800
+Subject: [PATCH] use snprintf to protect against garbage user-supplied mouse
+ format
+
+Bug 2754
+
+CVE: CVE-2025-31178
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/mouse.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index ef8f14d71..1571144ce 100644
+--- a/src/mouse.c
++++ b/src/mouse.c
+@@ -168,7 +168,7 @@ static void alert(void);
+ static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2);
+ static char *xy_format(void);
+ static char *zoombox_format(void);
+-static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt);
++static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt);
+ static char *xDateTimeFormat(double x, char *b, int mode);
+ static void GetRulerString(char *p, double x, double y);
+ static void apply_zoom(struct t_zoom * z);
+@@ -418,7 +418,7 @@ zoombox_format()
+ /* formats the information for an annotation (middle mouse button clicked)
+  */
+ static char *
+-GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
++GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt)
+ {
+     if (axis_array[FIRST_X_AXIS].datatype == DT_DMS
+     ||  axis_array[FIRST_Y_AXIS].datatype == DT_DMS) {
+@@ -473,11 +473,11 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
+ 	    r = rmin + x/cos(phi);
+ 
+ 	if (fmt)
+-	    sprintf(s, fmt, theta, r);
++	    snprintf(s, len, fmt, theta, r);
+ 	else
+ 	    sprintf(s, "theta: %.1f%s  r: %g", theta, degree_sign, r);
+     } else if ((mode == MOUSE_COORDINATES_ALT) && fmt) {
+-	sprintf(s, fmt, x, y);	/* user defined format */
++	snprintf(s, len, fmt, x, y);	/* user defined format */
+     } else if (mode == MOUSE_COORDINATES_FUNCTION) {
+ 	/* EXPERIMENTAL !!! */
+ 	t_value original_x, original_y;
+@@ -500,7 +500,7 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
+ 	gpfree_string(&readout);
+     } else {
+ 	/* Default format ("set mouse mouseformat" is not active) */
+-	sprintf(s, xy_format(), x, y);	/* usual x,y values */
++	snprintf(s, len, xy_format(), x, y);	/* usual x,y values */
+     }
+     return s + strlen(s);
+ }
+@@ -886,10 +886,10 @@ UpdateStatuslineWithMouseSetting(mouse_setting_t * ms)
+ 	strcat(format, ms->fmt);
+ 	strcat(format, ", ");
+ 	strcat(format, ms->fmt);
+-	sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
++	snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
+     } else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) {
+ 	/* only first X and Y axis are in use */
+-	sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++	sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 	if (ruler.on)
+ 	    GetRulerString(sp, real_x, real_y);
+     } else {
+@@ -2116,7 +2116,7 @@ event_buttonrelease(struct gp_event_t *ge)
+ 	     * only place, if the user didn't drag (rotate) the plot */
+ 
+ 	    if (!is_3d_plot || !motion) {
+-		GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++		GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 		term->set_clipboard(s0);
+ 		if (display_ipc_commands()) {
+ 		    fprintf(stderr, "put `%s' to clipboard.\n", s0);
+@@ -2129,8 +2129,7 @@ event_buttonrelease(struct gp_event_t *ge)
+ 	     * only done if the user didn't drag (scale) the plot */
+ 
+ 	    if (!is_3d_plot || !motion) {
+-
+-		GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
++		GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
+ 		if (mouse_setting.label) {
+ 		    if (modifier_mask & Mod_Ctrl) {
+ 			remove_label(mouse_x, mouse_y);
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index 18f98aa503..7dfe4b6657 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://CVE-2025-3359.patch \
            file://CVE-2025-31176.patch \
            file://CVE-2025-31177.patch \
+           file://CVE-2025-31178.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 5/7] gnuplot: fix CVE-2025-31179

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31179:
A flaw was found in gnuplot. The xstrftime() function may lead to a
segmentation fault, causing a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31179]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/ed647df512786b3c94429dd5c864715301e03ea5/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31179.patch      | 35 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch
new file mode 100644
index 0000000000..a7ec6e78f0
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch
@@ -0,0 +1,35 @@
+From 92c147cbcb8c28e4662963b378fc31e1d58c72f2 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 11 Mar 2025 16:31:23 -0700
+Subject: [PATCH] guard against trying to format a huge number as a time
+
+The time formatting code does not handle time_in_seconds > 1.e12
+(sometime in the year 33658).
+
+Bug 2779
+CVE: CVE-2025-31179
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/ed647df512786b3c94429dd5c864715301e03ea5/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/mouse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index 1571144ce..86dee805c 100644
+--- a/src/mouse.c
++++ b/src/mouse.c
+@@ -513,6 +513,11 @@ static char *
+ xDateTimeFormat(double x, char *b, int mode)
+ {
+     struct tm tm;
++    if (fabs(x) > 1.e12) {  /* Some time in the year 33688 */
++	int_warn(NO_CARET, "time value out of range");
++	*b = '\0';
++	return b;
++    }
+ 
+     switch (mode) {
+     case MOUSE_COORDINATES_XDATE:
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index 7dfe4b6657..c05ecd2b95 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://CVE-2025-31176.patch \
            file://CVE-2025-31177.patch \
            file://CVE-2025-31178.patch \
+           file://CVE-2025-31179.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 6/7] gnuplot: fix CVE-2025-31180

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31180:
A flaw was found in gnuplot. The CANVAS_text() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31180]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b2343fd02c4fff94957f0151b73daa0a1f7fec49/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31180.patch      | 43 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch
new file mode 100644
index 0000000000..e444a87128
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch
@@ -0,0 +1,43 @@
+From ec0fa6117d8e98918a030e31c2e8df32ab6e4542 Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 14 Jan 2025 21:54:14 -0800
+Subject: [PATCH] canvas:  handle nonlinear x2 or y2 axis with an incomplete
+ definition
+
+Actually "handle" means "ignore".
+But now it doesn't segfault trying to probe a non-existant link function.
+
+Bug 2755
+
+CVE: CVE-2025-31180
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b2343fd02c4fff94957f0151b73daa0a1f7fec49/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/canvas.trm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/term/canvas.trm b/term/canvas.trm
+index fee3e5dfa..e796cec0d 100644
+--- a/term/canvas.trm
++++ b/term/canvas.trm
+@@ -646,7 +646,7 @@ CANVAS_text()
+ 	} else
+ 	    fprintf(gpoutfile, "gnuplot.plot_axis_x2min = \"none\"\n");
+ 	if (axis_array[SECOND_X_AXIS].linked_to_primary
+-	&&  axis_array[FIRST_X_AXIS].link_udf->at) {
++	&&  axis_array[FIRST_X_AXIS].link_udf && axis_array[FIRST_X_AXIS].link_udf->at) {
+ 	    fprintf(gpoutfile, "gnuplot.x2_mapping = function(x) { return x; };");
+ 	    fprintf(gpoutfile, "  // replace returned value with %s\n",
+ 			axis_array[FIRST_X_AXIS].link_udf->definition);
+@@ -657,7 +657,7 @@ CANVAS_text()
+ 	} else
+ 	    fprintf(gpoutfile, "gnuplot.plot_axis_y2min = \"none\"\n");
+ 	if (axis_array[SECOND_Y_AXIS].linked_to_primary
+-	&&  axis_array[FIRST_Y_AXIS].link_udf->at) {
++	&&  axis_array[FIRST_Y_AXIS].link_udf && axis_array[FIRST_Y_AXIS].link_udf->at) {
+ 	    fprintf(gpoutfile, "gnuplot.y2_mapping = function(y) { return y; };");
+ 	    fprintf(gpoutfile, "  // replace returned value with %s\n",
+ 			axis_array[FIRST_Y_AXIS].link_udf->definition);
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index c05ecd2b95..c2644eaa33 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://CVE-2025-31177.patch \
            file://CVE-2025-31178.patch \
            file://CVE-2025-31179.patch \
+           file://CVE-2025-31180.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0

[meta-oe][scarthgap][PATCH 7/7] gnuplot: fix CVE-2025-31181

[peng.zhang1.cn]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-31181:
A flaw was found in gnuplot. The X11_graphics() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31181]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/af96c2c1b20383684b1ec2084dab7936f7053031/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnuplot/gnuplot/CVE-2025-31181.patch      | 43 +++++++++++++++++++
 .../recipes-extended/gnuplot/gnuplot_5.4.3.bb |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch

diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch
new file mode 100644
index 0000000000..2de4617ff1
--- /dev/null
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch
@@ -0,0 +1,43 @@
+From 2d9e68278aece7e971815d9c3ec297c5e9bc51bd Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 14 Jan 2025 20:56:37 -0800
+Subject: [PATCH] x11: protect against double fclose() if two errors in a row
+
+Bug 2753
+
+CVE: CVE-2025-31181
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/af96c2c1b20383684b1ec2084dab7936f7053031/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/x11.trm | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/term/x11.trm b/term/x11.trm
+index 458fcf5f9..1b51a80c8 100644
+--- a/term/x11.trm
++++ b/term/x11.trm
+@@ -856,8 +856,9 @@ X11_atexit()
+ 	/* dont wait(), since they might be -persist */
+ 	X11_ipc = NULL;
+ #ifdef PIPE_IPC
+-	close(ipc_back_fd);
+-	ipc_back_fd = -1;
++	if (ipc_back_fd >= 0)
++	    close(ipc_back_fd);
++	ipc_back_fd = IPC_BACK_CLOSED;
+ #endif
+     }
+ }
+@@ -1412,7 +1413,8 @@ X11_graphics()
+ #ifdef PIPE_IPC
+     /* if we know the outboard driver has stopped, restart it */
+     if (ipc_back_fd == IPC_BACK_CLOSED) {
+-	fclose(X11_ipc);
++	if (X11_ipc > 0)
++	    fclose(X11_ipc);
+ 	X11_ipc = NULL;
+ 	X11_init();
+     }
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
index c2644eaa33..b945cc318d 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://CVE-2025-31178.patch \
            file://CVE-2025-31179.patch \
            file://CVE-2025-31180.patch \
+           file://CVE-2025-31181.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \
-- 
2.50.0