Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775629 (CVE-2020-36277, CVE-2020-36278, CVE-2020-36279, CVE-2020-36280, CVE-2020-36281) - <media-libs/leptonica-1.80.0: multiple vulnerabilities (CVE-2020-{36277,36278,36279,36280,36281)
Summary: <media-libs/leptonica-1.80.0: multiple vulnerabilities (CVE-2020-{36277,36278...
Status: RESOLVED FIXED
Alias: CVE-2020-36277, CVE-2020-36278, CVE-2020-36279, CVE-2020-36280, CVE-2020-36281
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-12 13:46 UTC by John Helmert III
Modified: 2021-07-24 03:06 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/leptonica-1.80.0
Runtime testing required: Yes
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-12 13:46:49 UTC
CVE-2020-36281:

Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.
Comment 1 John Helmert III gentoo-dev Security 2021-03-13 04:17:29 UTC
CVE-2020-36277:

Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c

CVE-2020-36278:

Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c.

CVE-2020-36279:

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c.

CVE-2020-36280:

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c
Comment 2 Andreas Sturmlechner gentoo-dev 2021-04-18 22:37:12 UTC
I understand we have 1.80.0 in tree since last August.
Comment 3 James Le Cuirot gentoo-dev 2021-05-15 19:20:56 UTC
Please run the tests when stabilising.
Comment 4 Sam James archtester gentoo-dev Security 2021-05-16 00:12:19 UTC
amd64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-05-16 00:12:39 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2021-05-16 12:41:32 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-16 12:42:40 UTC
ppc done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-16 12:43:03 UTC
ppc64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-22 01:32:06 UTC
arm done

all arches done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-22 01:52:42 UTC
Please cleanup, thanks!
Comment 11 Larry the Git Cow gentoo-dev 2021-05-30 18:00:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6c29e1f27e5073deee0636184b3a27677978ba4

commit d6c29e1f27e5073deee0636184b3a27677978ba4
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2021-05-30 17:59:49 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-05-30 17:59:49 +0000

    media-libs/leptonica: Drop old and vulnerable 1.74.4
    
    Bug: https://bugs.gentoo.org/775629
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/leptonica/Manifest                 |  1 -
 media-libs/leptonica/files/baseline_reg.patch | 22 ----------
 media-libs/leptonica/leptonica-1.74.4.ebuild  | 63 ---------------------------
 3 files changed, 86 deletions(-)
Comment 12 John Helmert III gentoo-dev Security 2021-05-30 18:30:06 UTC
Thanks!
Comment 13 John Helmert III gentoo-dev Security 2021-07-24 02:43:37 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-24 03:06:00 UTC
This issue was resolved and addressed in
 GLSA 202107-53 at https://security.gentoo.org/glsa/202107-53
by GLSA coordinator John Helmert III (ajak).