CVE-2021-33479 (https://sourceforge.net/p/jocr/bugs/39/): A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in measure_pitch() in pgm2asc.c. CVE-2021-33480 (https://sourceforge.net/p/jocr/bugs/41/): https://sourceforge.net/p/jocr/bugs/40/ An use-after-free vulnerability was discovered in gocr through 0.53-20200802 in context_correction() in pgm2asc.c. CVE-2021-33481 (https://sourceforge.net/p/jocr/bugs/42/): A stack-based buffer overflow vulnerability was discovered in gocr through 0.53-20200802 in try_to_divide_boxes() in pgm2asc.c. All appear unfixed upstream.
No new releases upstream, this looks abandoned. Still has a few reverse dependencies.
I think it can be treecleaned. In Fedora, tk/scanner (xsane) support is completely removed for a long time due to they thinking it is too buggy. We would then need to disable ocr USE for xsane. dvdshrink is already masked for removal due to transcode treecleaning... the only package that would need to go is media-video/subtitleripper
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65a29e83791333ba0aa92ab381331118ff364e11 commit 65a29e83791333ba0aa92ab381331118ff364e11 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-11-25 15:12:48 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-11-25 15:15:04 +0000 profiles: last rite app-text/gocr Bug: https://bugs.gentoo.org/824290 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/base/package.use.mask | 4 ++++ profiles/package.mask | 8 ++++++++ 2 files changed, 12 insertions(+)
net-print/hplip is in the dependency tree, which I depend on for printing and scanning. emerge --depclean -av app-text/gocr media-gfx/xsane Calculating dependencies... done! app-text/gocr-0.52 pulled in by: media-gfx/xsane-0.999-r5 requires app-text/gocr media-gfx/xsane-0.999-r5 pulled in by: net-print/hplip-3.23.5 requires media-gfx/xsane
(In reply to Norman Back from comment #4) > net-print/hplip is in the dependency tree, which I depend on for printing > and scanning. > > emerge --depclean -av app-text/gocr media-gfx/xsane > > Calculating dependencies... done! > app-text/gocr-0.52 pulled in by: > media-gfx/xsane-0.999-r5 requires app-text/gocr > > media-gfx/xsane-0.999-r5 pulled in by: > net-print/hplip-3.23.5 requires media-gfx/xsane xsane _optionally_ depends on gocr with USE=ocr. USE=ocr has been masked on gocr.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eef9430478b0848c0b3a6abf3e7321dcc29704fa commit eef9430478b0848c0b3a6abf3e7321dcc29704fa Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-08 03:26:41 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-08 03:34:23 +0000 app-text/gocr: treeclean Bug: https://bugs.gentoo.org/323619 Bug: https://bugs.gentoo.org/824290 Bug: https://bugs.gentoo.org/850436 Bug: https://bugs.gentoo.org/865999 Bug: https://bugs.gentoo.org/913696 Signed-off-by: John Helmert III <ajak@gentoo.org> app-text/gocr/Manifest | 1 - app-text/gocr/gocr-0.52-r1.ebuild | 53 --------------------------------------- app-text/gocr/gocr-0.52.ebuild | 53 --------------------------------------- app-text/gocr/metadata.xml | 8 ------ profiles/package.mask | 8 ------ 5 files changed, 123 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fb5a44ea787005b33db2fc71280762a14b475bea commit fb5a44ea787005b33db2fc71280762a14b475bea Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:56 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:49 +0000 [ GLSA 202401-28 ] GOCR: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/824290 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-28.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
