|Summary:||media-libs/leptonica: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||GLSAMaker/CVETool Bot <glsamaker>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B1 [ebuild cve]|
|Package list:||Runtime testing required:||---|
Description GLSAMaker/CVETool Bot 2018-03-06 15:25:38 UTC
CVE-2018-7442 (https://nvd.nist.gov/vuln/detail/CVE-2018-7442): An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function does not block '/' characters in the gplot rootname argument, potentially leading to path traversal and arbitrary file overwrite. CVE-2018-7441 (https://nvd.nist.gov/vuln/detail/CVE-2018-7441): Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might allow local users to overwrite arbitrary files or have unspecified other impact by creating files in advance or winning a race condition, as demonstrated by /tmp/junk_split_image.ps in prog/splitimage2pdf.c. CVE-2018-7440 (https://nvd.nist.gov/vuln/detail/CVE-2018-7440): An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an incomplete fix for CVE-2018-3836. CVE-2018-7247 (https://nvd.nist.gov/vuln/detail/CVE-2018-7247): An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in Leptonica before 1.75.3. Unsanitized input (rootname) can overflow a buffer, leading potentially to arbitrary code execution or possibly unspecified other impact. CVE-2018-7186 (https://nvd.nist.gov/vuln/detail/CVE-2018-7186): Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a long string, as demonstrated by the gplotRead and ptaReadStream functions. CVE-2017-18196 (https://nvd.nist.gov/vuln/detail/CVE-2017-18196): Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.
Comment 1 James Le Cuirot 2018-03-10 10:33:42 UTC
This is a fairly important library, being required by Tesseract, the only decent free OCR software out there. Unfortunately I'm not too optimistic about all these being fixed and I wouldn't be surprised if there are further issues waiting to be found. Upstream seems to have a slight disregard for security. I have spoken to him about the /tmp issues many times but he is very reluctant to change it. His response to CVE-2018-3836 was also not encouraging. I only maintain this and work with upstream because of a previous need for it that I no longer have so I am only willing to do so much. I'll see what Debian does.
Comment 2 James Le Cuirot 2018-05-03 22:13:25 UTC
I have now bumped this to 1.76.0 but I don't know whether this deals with all of these issues. I think some have been addressed.
Comment 3 John Helmert III 2020-06-18 00:49:45 UTC
It appears that only CVE-2018-7247 and CVE-2018-7286 have clear fixes, in c1079bb8e and ee301cb20 respectively. Both commits are in 1.76 onward.