Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649752 (CVE-2017-18196, CVE-2018-7186, CVE-2018-7247, CVE-2018-7440, CVE-2018-7441, CVE-2018-7442) - <media-libs/leptonica-1.77.0: Multiple vulnerabilities
Summary: <media-libs/leptonica-1.77.0: Multiple vulnerabilities
Alias: CVE-2017-18196, CVE-2018-7186, CVE-2018-7247, CVE-2018-7440, CVE-2018-7441, CVE-2018-7442
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Reported: 2018-03-06 15:25 UTC by GLSAMaker/CVETool Bot
Modified: 2023-12-18 07:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-06 15:25:38 UTC
CVE-2018-7442 (
  An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput
  function does not block '/' characters in the gplot rootname argument,
  potentially leading to path traversal and arbitrary file overwrite.

CVE-2018-7441 (
  Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might allow
  local users to overwrite arbitrary files or have unspecified other impact by
  creating files in advance or winning a race condition, as demonstrated by
  /tmp/ in prog/splitimage2pdf.c.

CVE-2018-7440 (
  An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput
  function allows command injection via a $(command) approach in the gplot
  rootname argument. This issue exists because of an incomplete fix for

CVE-2018-7247 (
  An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in Leptonica
  before 1.75.3. Unsanitized input (rootname) can overflow a buffer, leading
  potentially to arbitrary code execution or possibly unspecified other

CVE-2018-7186 (
  Leptonica before 1.75.3 does not limit the number of characters in a %s
  format argument to fscanf or sscanf, which allows remote attackers to cause
  a denial of service (stack-based buffer overflow) or possibly have
  unspecified other impact via a long string, as demonstrated by the gplotRead
  and ptaReadStream functions.

CVE-2017-18196 (
  Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path
  components) when operating on files in /tmp subdirectories, which might
  allow local users to bypass intended file restrictions by leveraging access
  to a directory located deeper within the /tmp directory tree, as
  demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.
Comment 1 James Le Cuirot gentoo-dev 2018-03-10 10:33:42 UTC
This is a fairly important library, being required by Tesseract, the only decent free OCR software out there. Unfortunately I'm not too optimistic about all these being fixed and I wouldn't be surprised if there are further issues waiting to be found. Upstream seems to have a slight disregard for security. I have spoken to him about the /tmp issues many times but he is very reluctant to change it. His response to CVE-2018-3836 was also not encouraging. I only maintain this and work with upstream because of a previous need for it that I no longer have so I am only willing to do so much. I'll see what Debian does.
Comment 2 James Le Cuirot gentoo-dev 2018-05-03 22:13:25 UTC
I have now bumped this to 1.76.0 but I don't know whether this deals with all of these issues. I think some have been addressed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 00:49:45 UTC
It appears that only CVE-2018-7247 and CVE-2018-7286 have clear fixes, in c1079bb8e and ee301cb20 respectively. Both commits are in 1.76 onward.
Comment 4 Hans de Graaff gentoo-dev Security 2023-10-08 09:00:25 UTC
All of these CVEs have been addressed in leptonica 1.77.0:

        * CVE-2018-7442: potential injection attack because '/' is allowed
          in gplot rootdir.
          Functions using this command have been disabled by default in the 
          distribution, starting with 1.76.0.  As for the specific issue, it 
          is impossible to specify a general path without using the standard
          directory subdivider '/'.
        * CVE-2018-7186: number of characters not limited in fscanf or sscanf,
          allowing possible attack with buffer overflow.
          This has been fixed in 1.75.3.
        * CVE-2018-3836: command injection vulnerability in gplotMakeOutput().
          This has been fixed in 1.75.3, using stringCheckForChars() to block
          rootnames containing any of: ;&|>"?*$()/<
        * CVE-2017-18196: duplicated path components.
          This was fixed in 1.75.3.
        * CVE-2018-7441: hardcoded /tmp pathnames.
          These are all wrapped in special debug functions that are not
          enabled by default in the distribution, starting with 1.76.0.
        * CVE-2018-7247: input 'rootname' can overflow a buffer.
          This was fixed in 1.76.0, using snprintf().
        * CVE-2018-7440: command injection in gplotMakeOutput using $(command).
          Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
Comment 5 Larry the Git Cow gentoo-dev 2023-12-18 07:26:07 UTC
The bug has been referenced in the following commit(s):

commit ae470dfa87b9f8990a63603140849dc70c320603
Author:     GLSAMaker <>
AuthorDate: 2023-12-18 07:24:40 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-12-18 07:26:01 +0000

    [ GLSA 202312-01 ] Leptonica: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202312-01.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)