Summary: | <media-libs/leptonica-1.77.0: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ajak, chewi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=869416 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-03-06 15:25:38 UTC
This is a fairly important library, being required by Tesseract, the only decent free OCR software out there. Unfortunately I'm not too optimistic about all these being fixed and I wouldn't be surprised if there are further issues waiting to be found. Upstream seems to have a slight disregard for security. I have spoken to him about the /tmp issues many times but he is very reluctant to change it. His response to CVE-2018-3836 was also not encouraging. I only maintain this and work with upstream because of a previous need for it that I no longer have so I am only willing to do so much. I'll see what Debian does. I have now bumped this to 1.76.0 but I don't know whether this deals with all of these issues. I think some have been addressed. It appears that only CVE-2018-7247 and CVE-2018-7286 have clear fixes, in c1079bb8e and ee301cb20 respectively. Both commits are in 1.76 onward. All of these CVEs have been addressed in leptonica 1.77.0: * CVE-2018-7442: potential injection attack because '/' is allowed in gplot rootdir. Functions using this command have been disabled by default in the distribution, starting with 1.76.0. As for the specific issue, it is impossible to specify a general path without using the standard directory subdivider '/'. * CVE-2018-7186: number of characters not limited in fscanf or sscanf, allowing possible attack with buffer overflow. This has been fixed in 1.75.3. * CVE-2018-3836: command injection vulnerability in gplotMakeOutput(). This has been fixed in 1.75.3, using stringCheckForChars() to block rootnames containing any of: ;&|>"?*$()/< * CVE-2017-18196: duplicated path components. This was fixed in 1.75.3. * CVE-2018-7441: hardcoded /tmp pathnames. These are all wrapped in special debug functions that are not enabled by default in the distribution, starting with 1.76.0. * CVE-2018-7247: input 'rootname' can overflow a buffer. This was fixed in 1.76.0, using snprintf(). * CVE-2018-7440: command injection in gplotMakeOutput using $(command). Fixed in 1.75.3, which blocks '$' as well as 11 other characters. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ae470dfa87b9f8990a63603140849dc70c320603 commit ae470dfa87b9f8990a63603140849dc70c320603 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-18 07:24:40 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-18 07:26:01 +0000 [ GLSA 202312-01 ] Leptonica: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/649752 Bug: https://bugs.gentoo.org/869416 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-01.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) |