gnuplot 5.x Buffer overflow vulnerability
Question
I would like to use gnuplot 5.x on my employer's hardware platforms (Dell workstations & laptop running Windows 7 and 10 respectively). Our system administration has identified "buffer overflow vulnerabilities" associated with this software.
A simple search for "gnuplot buffer overflow" on Google yields some information related to this, eg:
https://sourceforge.net/p/gnuplot/bugs/2093/ https://sourceforge.net/p/gnuplot/bugs/1413/ https://research.loginsoft.com/bugs/buffer-overflow-vulnerability-in-ps_options-gnuplot-5-2-5/
I am not a C++ savvy software programmer nor a cyber-security specialist. What I see in some of these posts is comments like: Link #1: "an attacker might use this flaw to overflow important data to hijack the control flow". Link #3: "This allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impacts when a victim opens a specially crafted file".
And I am thinking to myself: "Really?". Are these assessments credible, and if so, how can such a long-established and widely-used tool have such a serious flaw?
As you can imagine, I am having trouble getting the installation and usage of gnuplot approved by my employer. Any evidence-based information you can provide to shed light on this matter would be very much appreciated.
Thank you very much. Maziar.
1 answers
solution1
4 2020-04-14 17:26:48
All programs have bugs. You point to two specific bugs that were identified in 2018, reported on the project bug tracker, and fixed in the first subsequent release of the program. In both cases the bugs were of the sort "you could crash this program if you give it certain improperly formed commands". Those particular bugs no longer exist in current versions of the program, since they were reported and fixed. But other bugs of the sort probably exist in gnuplot and in every single program running on your computer. That's life in an imperfect world.
In other words, you or your employer's security policy must decide whether it is really a problem that "this program might crash if you feed it garbage".
A more realistic concern is that gnuplot is essentially a scripting language. It can read and write any file that the user has permission to access. If you run a gnuplot script that came from a malicious source, it might overwrite your files or issue harmful commands to your system. This is the same concern as if you downloaded and executed a *.com or *.exe file or a python script any other series of commands provided by a malicious source. It's not really an indictment of the program, only of lax security practices by the user.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.