775629 – (CVE-2020-36277, CVE-2020-36278, CVE-2020-36279, CVE-2020-36280, CVE-2020-36281) <media-libs/leptonica-1.80.0: multiple vulnerabilities (CVE-2020-{36277,36278,36279,36280,36281)

Bug 775629 (CVE-2020-36277, CVE-2020-36278, CVE-2020-36279, CVE-2020-36280, CVE-2020-36281) - <media-libs/leptonica-1.80.0: multiple vulnerabilities (CVE-2020-{36277,36278,36279,36280,36281)

Summary: <media-libs/leptonica-1.80.0: multiple vulnerabilities (CVE-2020-{36277,36278...

Status:	RESOLVED FIXED

Alias:	CVE-2020-36277, CVE-2020-36278, CVE-2020-36279, CVE-2020-36280, CVE-2020-36281

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-03-12 13:46 UTC by John Helmert III
Modified:	2021-07-24 03:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	media-libs/leptonica-1.80.0
Runtime testing required:	Yes

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-03-12 13:46:49 UTC

CVE-2020-36281:

Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.

Comment 1 John Helmert III archtester

2021-03-13 04:17:29 UTC

CVE-2020-36277:

Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c

CVE-2020-36278:

Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c.

CVE-2020-36279:

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c.

CVE-2020-36280:

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c

Comment 2 Andreas Sturmlechner gentoo-dev

2021-04-18 22:37:12 UTC

I understand we have 1.80.0 in tree since last August.

Comment 3 James Le Cuirot gentoo-dev

2021-05-15 19:20:56 UTC

Please run the tests when stabilising.

Comment 4 Sam James archtester

2021-05-16 00:12:19 UTC

amd64 done

Comment 5 Sam James archtester

2021-05-16 00:12:39 UTC

x86 done

Comment 6 Sam James archtester

2021-05-16 12:41:32 UTC

arm64 done

Comment 7 Sam James archtester

2021-05-16 12:42:40 UTC

ppc done

Comment 8 Sam James archtester

2021-05-16 12:43:03 UTC

ppc64 done

Comment 9 Sam James archtester

2021-05-22 01:32:06 UTC

arm done

all arches done

Comment 10 Sam James archtester

2021-05-22 01:52:42 UTC

Please cleanup, thanks!

Comment 11 Larry the Git Cow gentoo-dev

2021-05-30 18:00:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6c29e1f27e5073deee0636184b3a27677978ba4

commit d6c29e1f27e5073deee0636184b3a27677978ba4
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2021-05-30 17:59:49 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-05-30 17:59:49 +0000

    media-libs/leptonica: Drop old and vulnerable 1.74.4
    
    Bug: https://bugs.gentoo.org/775629
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/leptonica/Manifest                 |  1 -
 media-libs/leptonica/files/baseline_reg.patch | 22 ----------
 media-libs/leptonica/leptonica-1.74.4.ebuild  | 63 ---------------------------
 3 files changed, 86 deletions(-)

Comment 12 John Helmert III archtester

2021-05-30 18:30:06 UTC

Thanks!

Comment 13 John Helmert III archtester

2021-07-24 02:43:37 UTC

GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2021-07-24 03:06:00 UTC

This issue was resolved and addressed in
 GLSA 202107-53 at https://security.gentoo.org/glsa/202107-53
by GLSA coordinator John Helmert III (ajak).