Re: upload leptonlib

[Santiago R.R.]

El 26/02/18 a las 10:55, Jeff Breidenbach escribió:
> >Was upstream's position also to remove those binaries?
> 
> Yes.
> 
> >Upstream was unable to provide a patch?
> 
> Yes. Upstream decided that it was not worth the time to make a patch.
> 
> Leptonica is a large image processing library. It also contains source code 
> for many (over 200) example programs that use the library. From these example 
> programs, a small number (about 10) are built and ship as part of the
> leptonica-progs 
> binary package.
> 
> Bug #830660 noticed that some of these programs were insecure. The affected
> programs were not very important, and my best guess is nobody uses them. So 
> after discussion with upstream, I removed them from the Debian package.
> Because 
> the programs are probably not used, I don't have a strong opinion about what 
> happens with Wheezy.
> 
> Does this help?

Yes, thank you.

Since the affected programs are note very important, I'd say now the
issue is not serious enough to modify the jessie and wheezy packages.

Other opinions?


signature.asc
Description: PGP signature

Re: upload leptonlib

[Jeff Breidenbach]

>Was upstream's position also to remove those binaries?

Yes.

>Upstream was unable to provide a patch?

Yes. Upstream decided that it was not worth the time to make a patch.

Leptonica is a large image processing library. It also contains source code
for many (over 200) example programs that use the library. From these
example
programs, a small number (about 10) are built and ship as part of the
leptonica-progs
binary package.

Bug #830660 noticed that some of these programs were insecure. The affected
programs were not very important, and my best guess is nobody uses them. So
after discussion with upstream, I removed them from the Debian package.
Because
the programs are probably not used, I don't have a strong opinion about
what
happens with Wheezy.

Does this help?

Re: upload leptonlib

[Salvatore Bonaccorso]

Hi Ben,

MITRE did assign the following:

On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote:
> > > 1. #890548
> > 
> > This one has CVE-2018-7186.
> > 
> > > 2. Incomplete fix for #889759 / CVE-2018-3836

CVE-2018-7440

> > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > > there is a possibility of path traversal and arbitrary file overwrite

CVE-2018-7442

> > > 4. #885704

CVE-2017-18196

> > > 5. The remaining hardcoded paths in /tmp

CVE-2018-7441

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: upload leptonlib

[Santiago R.R.]

El 23/02/18 a las 10:08, Jeff Breidenbach escribió:
> >So these files should be also removed from the package in wheezy and jessie?
> 
> Yes.

Sorry if my previous message was maybe too brief.

It is not common to remove a file from the packages of a released debian
suite. I find it surprising that the fix was to remove the binaries.

It seems that upstream keeps their the source code (prog/printtiff.c,
prog/printsplitimage.c, prog/splitimage2pdf.c, prog/printimage.c) and
making reference to printimage and printsplitimage in README.html. They
are included in CMakeLists.txt, but debian doesn't rely on CMake to
build the package, it's some confusing.

Was upstream's position also to remove those binaries? Upstream was
unable to provide a patch?

Could you please elaborate more on why removing the mentioned files is
the right thing to do?

Cheers, and thanks for your work,

 -- Santiago


signature.asc
Description: PGP signature

Re: upload leptonlib

[Jeff Breidenbach]

>So these files should be also removed from the package in wheezy and
jessie?

Yes.

Re: upload leptonlib

[Santiago R.R.]

Security team: sorry for the lack of context in the message. Please see
https://lists.debian.org/debian-lts/2018/02/msg00054.html and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830660

El 22/02/18 a las 22:35, Jeff Breidenbach escribió:
>These binaries were removed in #830660.
>>$ strings /usr/bin/printsplitimage | grep ^/tmp/
>>/tmp/split
>>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
>>/tmp/[1]junk_split_image.ps
> 
> References
> 
>Visible links
>1. http://junk_split_image.ps/

So these files should be also removed from the package in wheezy and
jessie?

Cheers,

 -- Santiago


signature.asc
Description: PGP signature

Re: upload leptonlib

[Jeff Breidenbach]

These binaries were removed in #830660.

>$ strings /usr/bin/printsplitimage | grep ^/tmp/
>/tmp/split
>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
>/tmp/junk_split_image.ps


prune_unsafe_binaries.diff.gz
Description: GNU Zip compressed data

Re: upload leptonlib

[Jeff Breidenbach]

The remaining hardcoded /tmp filenames are believed to be in test and debug
code paths.

Re: upload leptonlib

[Salvatore Bonaccorso]

Hi Ben,

On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote:
> On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote:
> > Hi Ben,
> > 
> > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote:
> > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > > > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > > > Hello.
> > > > > > > 
> > > > > > > I prepared LTS security update for leptonlib. Please review and 
> > > > > > > upload.
> > > > > > > You can find debdiff along with the mail.
> > > > > > > link:
> > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > > > 
> > > > > > 
> > > > > > Abhijith,
> > > > > > 
> > > > > > I have reviewed and uploaded the package. While you backported the
> > > > > > upstream fix, I feel like their approach falls under item #2 of 
> > > > > > "The Six
> > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I 
> > > > > > cannot
> > > > > > help but wonder if another vulnerability will be uncovered later 
> > > > > > that
> > > > > > uses different characters that are not being checked.
> > > > > 
> > > > > I found one already: it filters out `command` but not $(command).
> > > > > 
> > > > > I'm afraid this library appears to have been written without any 
> > > > > regard
> > > > > for security, or even the existence of multiuser systems.
> > > > > 
> > > > > Bug #890548 (stack buffer overflows) is probably exploitable in 
> > > > > wheezy,
> > > > > and I think there are more instances.
> > > > > 
> > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but 
> > > > > I
> > > > > can still see:
> > > > 
> > > > [...]
> > > > 
> > > > I've re-added the package to dla-needed.txt for #889759 /
> > > > CVE-2018-3836. Should a new CVE be issued for #885704?
> > > 
> > > I think additional CVEs are needed for:
> > > 
> > > 1. #890548
> > 
> > This one has CVE-2018-7186.
> > 
> > > 2. Incomplete fix for #889759 / CVE-2018-3836
> > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > > there is a possibility of path traversal and arbitrary file overwrite
> > > 4. #885704
> > > 5. The remaining hardcoded paths in /tmp
> > 
> > Have you already requested CVEs for the other issues?
> 
> No I haven't.

Alright, I will try to request the pending ones tonight.

Regards,
Salvatore

Re: upload leptonlib

[Ben Hutchings]

On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote:
> Hi Ben,
> 
> On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote:
> > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > > Hello.
> > > > > > 
> > > > > > I prepared LTS security update for leptonlib. Please review and 
> > > > > > upload.
> > > > > > You can find debdiff along with the mail.
> > > > > > link:
> > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > > 
> > > > > 
> > > > > Abhijith,
> > > > > 
> > > > > I have reviewed and uploaded the package. While you backported the
> > > > > upstream fix, I feel like their approach falls under item #2 of "The 
> > > > > Six
> > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> > > > > help but wonder if another vulnerability will be uncovered later that
> > > > > uses different characters that are not being checked.
> > > > 
> > > > I found one already: it filters out `command` but not $(command).
> > > > 
> > > > I'm afraid this library appears to have been written without any regard
> > > > for security, or even the existence of multiuser systems.
> > > > 
> > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> > > > and I think there are more instances.
> > > > 
> > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> > > > can still see:
> > > 
> > > [...]
> > > 
> > > I've re-added the package to dla-needed.txt for #889759 /
> > > CVE-2018-3836. Should a new CVE be issued for #885704?
> > 
> > I think additional CVEs are needed for:
> > 
> > 1. #890548
> 
> This one has CVE-2018-7186.
> 
> > 2. Incomplete fix for #889759 / CVE-2018-3836
> > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > there is a possibility of path traversal and arbitrary file overwrite
> > 4. #885704
> > 5. The remaining hardcoded paths in /tmp
> 
> Have you already requested CVEs for the other issues?

No I haven't.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought. ... I realized that a large part of my life from then on was
going to be spent in finding mistakes in my own programs. - Maurice
Wilkes, 1949


signature.asc
Description: This is a digitally signed message part

Re: upload leptonlib

[Salvatore Bonaccorso]

Hi Ben,

On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote:
> On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > Hello.
> > > > > 
> > > > > I prepared LTS security update for leptonlib. Please review and 
> > > > > upload.
> > > > > You can find debdiff along with the mail.
> > > > > link:
> > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > 
> > > > 
> > > > Abhijith,
> > > > 
> > > > I have reviewed and uploaded the package. While you backported the
> > > > upstream fix, I feel like their approach falls under item #2 of "The Six
> > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> > > > help but wonder if another vulnerability will be uncovered later that
> > > > uses different characters that are not being checked.
> > > 
> > > I found one already: it filters out `command` but not $(command).
> > > 
> > > I'm afraid this library appears to have been written without any regard
> > > for security, or even the existence of multiuser systems.
> > > 
> > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> > > and I think there are more instances.
> > > 
> > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> > > can still see:
> > 
> > [...]
> > 
> > I've re-added the package to dla-needed.txt for #889759 /
> > CVE-2018-3836. Should a new CVE be issued for #885704?
> 
> I think additional CVEs are needed for:
> 
> 1. #890548

This one has CVE-2018-7186.

> 2. Incomplete fix for #889759 / CVE-2018-3836
> 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> there is a possibility of path traversal and arbitrary file overwrite
> 4. #885704
> 5. The remaining hardcoded paths in /tmp

Have you already requested CVEs for the other issues?

Regards,
Salvatore

Re: upload leptonlib

[Ben Hutchings]

On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > Hello.
> > > > 
> > > > I prepared LTS security update for leptonlib. Please review and upload.
> > > > You can find debdiff along with the mail.
> > > > link:
> > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > 
> > > 
> > > Abhijith,
> > > 
> > > I have reviewed and uploaded the package. While you backported the
> > > upstream fix, I feel like their approach falls under item #2 of "The Six
> > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> > > help but wonder if another vulnerability will be uncovered later that
> > > uses different characters that are not being checked.
> > 
> > I found one already: it filters out `command` but not $(command).
> > 
> > I'm afraid this library appears to have been written without any regard
> > for security, or even the existence of multiuser systems.
> > 
> > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> > and I think there are more instances.
> > 
> > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> > can still see:
> 
> [...]
> 
> I've re-added the package to dla-needed.txt for #889759 /
> CVE-2018-3836. Should a new CVE be issued for #885704?

I think additional CVEs are needed for:

1. #890548
2. Incomplete fix for #889759 / CVE-2018-3836
3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
there is a possibility of path traversal and arbitrary file overwrite
4. #885704
5. The remaining hardcoded paths in /tmp

Ben.

-- 
Ben Hutchings
One of the nice things about standards is that there are so many of
them.


signature.asc
Description: This is a digitally signed message part

Re: upload leptonlib

[Antoine Beaupré]

On 2018-02-15 21:34:48, Ben Hutchings wrote:
> On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
>> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
>> > Hello.
>> > 
>> > I prepared LTS security update for leptonlib. Please review and upload.
>> > You can find debdiff along with the mail.
>> > link:
>> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
>> > 
>> 
>> Abhijith,
>> 
>> I have reviewed and uploaded the package. While you backported the
>> upstream fix, I feel like their approach falls under item #2 of "The Six
>> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
>> help but wonder if another vulnerability will be uncovered later that
>> uses different characters that are not being checked.
>
> I found one already: it filters out `command` but not $(command).
>
> I'm afraid this library appears to have been written without any regard
> for security, or even the existence of multiuser systems.
>
> Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> and I think there are more instances.
>
> Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> can still see:

[...]

I've re-added the package to dla-needed.txt for #889759 /
CVE-2018-3836. Should a new CVE be issued for #885704?

A.

-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

Re: upload leptonlib

[Ben Hutchings]

On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > Hello.
> > 
> > I prepared LTS security update for leptonlib. Please review and upload.
> > You can find debdiff along with the mail.
> > link:
> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > 
> 
> Abhijith,
> 
> I have reviewed and uploaded the package. While you backported the
> upstream fix, I feel like their approach falls under item #2 of "The Six
> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> help but wonder if another vulnerability will be uncovered later that
> uses different characters that are not being checked.

I found one already: it filters out `command` but not $(command).

I'm afraid this library appears to have been written without any regard
for security, or even the existence of multiuser systems.

Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
and I think there are more instances.

Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
can still see:

$ strings /usr/bin/printsplitimage | grep ^/tmp/
/tmp/split
$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
/tmp/junk_split_image.ps
$ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/
/tmp/lept/baseline/diff
/tmp/lept/baseline/diff.png
/tmp/lept/baseline/loc
/tmp/lept/baseline/loc.png
/tmp/lept/baseline/skew
/tmp/lept/baseline/baselines.png
/tmp/threshroot
/tmp/lept/plots/sides.%s
/tmp/lept/plots/sides.%d
/tmp/lept/plots/size.%s
/tmp/lept/plots/size.%d
/tmp/linfit/boxalr.ba
/tmp/linfit/boxatb.ba
/tmp/linfit/ptal.pta
/tmp/linfit/ptar.pta
/tmp/linfit/ptat.pta
/tmp/linfit/ptab.pta
/tmp/smooth/boxae.ba
/tmp/smooth/boxao.ba
/tmp/smooth/boxalfe.ba
/tmp/smooth/boxalfo.ba
/tmp/smooth/boxame.ba
/tmp/smooth/boxamo.ba
/tmp/smooth/boxamede.ba
/tmp/smooth/boxamedo.ba
...

Ben.

> In any event, once you receive the ACCEPT notice from the archive
> software you should be able to publish the DLA.

-- 
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
  - Albert Einstein


signature.asc
Description: This is a digitally signed message part

Re: upload leptonlib

[Roberto C . Sánchez]

On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> Hello.
> 
> I prepared LTS security update for leptonlib. Please review and upload.
> You can find debdiff along with the mail.
> link:
> https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> 

Abhijith,

I have reviewed and uploaded the package. While you backported the
upstream fix, I feel like their approach falls under item #2 of "The Six
Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
help but wonder if another vulnerability will be uncovered later that
uses different characters that are not being checked.

In any event, once you receive the ACCEPT notice from the archive
software you should be able to publish the DLA.

Regards,

-Roberto

-- 
Roberto C. Sánchez

upload leptonlib

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello.

I prepared LTS security update for leptonlib. Please review and upload.
You can find debdiff along with the mail.
link:
https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc

I done following tests.

- - Installed new build in a wheezy machine
- - Tested against POC from
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
- - Ran all regression tests provided in prog/alltests_reg.c
- - Ran prog/comparetest.c as it is one of the program which uses `gplot`

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c
KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj
JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN
YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt
9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n
bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ
Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB
5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo
y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW
JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG
hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH
XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q=
=fUrC
-END PGP SIGNATURE-
diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog
--- leptonlib-1.69/debian/changelog 2012-07-19 21:39:52.0 +
+++ leptonlib-1.69/debian/changelog 2018-02-13 18:06:39.0 +
@@ -1,3 +1,11 @@
+leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability
+(closes: #889759)
+
+ -- Abhijith PA   Tue, 13 Feb 2018 23:36:39 +0530
+
 leptonlib (1.69-3.1) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch 
leptonlib-1.69/debian/patches/CVE-2018-3836.patch
--- leptonlib-1.69/debian/patches/CVE-2018-3836.patch   1970-01-01 
00:00:00.0 +
+++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch   2018-02-13 
18:06:39.0 +
@@ -0,0 +1,125 @@
+Description: Fix CVE-2018-3836.patch
+ An exploitable command injection vulnerability exists in the gplotMakeOutput 
+ function of Leptonica. A specially crafted gplot rootname argument can cause 
a 
+ command injection resulting in arbitrary code execution. 
+ An attacker can provide a malicious path as input to an application that 
passes 
+ attacker data to this function to trigger this vulnerability. Patch 
backported from
+ upstream. 
+ 
+Author: Abhijith PA 
+Origin: 
https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch
+Bug: https://github.com/DanBloomberg/leptonica/issues/303
+Bug-Debian: https://bugs.debian.org/889759
+Last-Update: 2018-02-13
+
+Index: leptonlib-1.69/src/gplot.c
+===
+--- leptonlib-1.69.orig/src/gplot.c
 leptonlib-1.69/src/gplot.c
+@@ -129,9 +129,10 @@ gplotCreate(const char  *rootname,
+ const char  *xlabel,
+ const char  *ylabel)
+ {
+-char   *newroot;
+-charbuf[L_BUF_SIZE];
+-GPLOT  *gplot;
++char*newroot;
++char buf[L_BUF_SIZE];
++l_int32  badchar;
++GPLOT   *gplot;
+ 
+ PROCNAME("gplotCreate");
+ 
+@@ -141,6 +142,9 @@ GPLOT  *gplot;
+ outformat != GPLOT_EPS && outformat != GPLOT_X11 &&
+ outformat != GPLOT_LATEX)
+ return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
++stringCheckForChars(rootname, "`;&|><\"?*", );
++if (badchar)  /* danger of command injection */
++return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
+ 
+ if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL)
+ return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL);
+@@ -360,18 +364,10 @@ l_int32  ignore;
+ gplotGenDataFiles(gplot);
+ 
+ #ifndef _WIN32
+-if (gplot->outformat != GPLOT_X11)
+-snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname);
+-else
+-snprintf(buf, L_BUF_SIZE,
+- "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname);
++snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname);
+ #else
+-   if (gplot->outformat != GPLOT_X11)
+-   snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname);
+-   else
+-   snprintf(buf, L_BUF_SIZE,
+-   "wgnuplot -persist %s", gplot->cmdname);
+-#endif  /* _WIN32 */
++snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname);
++#endif /* _WIN32 */
+ ignore = system(buf);
+ return 0;
+ }
+Index: leptonlib-1.69/src/utils.c
+===
+---