Re: upload leptonlib
El 26/02/18 a las 10:55, Jeff Breidenbach escribió: > >Was upstream's position also to remove those binaries? > > Yes. > > >Upstream was unable to provide a patch? > > Yes. Upstream decided that it was not worth the time to make a patch. > > Leptonica is a large image processing library. It also contains source code > for many (over 200) example programs that use the library. From these example > programs, a small number (about 10) are built and ship as part of the > leptonica-progs > binary package. > > Bug #830660 noticed that some of these programs were insecure. The affected > programs were not very important, and my best guess is nobody uses them. So > after discussion with upstream, I removed them from the Debian package. > Because > the programs are probably not used, I don't have a strong opinion about what > happens with Wheezy. > > Does this help? Yes, thank you. Since the affected programs are note very important, I'd say now the issue is not serious enough to modify the jessie and wheezy packages. Other opinions? signature.asc Description: PGP signature
Re: upload leptonlib
>Was upstream's position also to remove those binaries? Yes. >Upstream was unable to provide a patch? Yes. Upstream decided that it was not worth the time to make a patch. Leptonica is a large image processing library. It also contains source code for many (over 200) example programs that use the library. From these example programs, a small number (about 10) are built and ship as part of the leptonica-progs binary package. Bug #830660 noticed that some of these programs were insecure. The affected programs were not very important, and my best guess is nobody uses them. So after discussion with upstream, I removed them from the Debian package. Because the programs are probably not used, I don't have a strong opinion about what happens with Wheezy. Does this help?
Re: upload leptonlib
Hi Ben, MITRE did assign the following: On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote: > > > 1. #890548 > > > > This one has CVE-2018-7186. > > > > > 2. Incomplete fix for #889759 / CVE-2018-3836 CVE-2018-7440 > > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > > there is a possibility of path traversal and arbitrary file overwrite CVE-2018-7442 > > > 4. #885704 CVE-2017-18196 > > > 5. The remaining hardcoded paths in /tmp CVE-2018-7441 Regards, Salvatore signature.asc Description: PGP signature
Re: upload leptonlib
El 23/02/18 a las 10:08, Jeff Breidenbach escribió: > >So these files should be also removed from the package in wheezy and jessie? > > Yes. Sorry if my previous message was maybe too brief. It is not common to remove a file from the packages of a released debian suite. I find it surprising that the fix was to remove the binaries. It seems that upstream keeps their the source code (prog/printtiff.c, prog/printsplitimage.c, prog/splitimage2pdf.c, prog/printimage.c) and making reference to printimage and printsplitimage in README.html. They are included in CMakeLists.txt, but debian doesn't rely on CMake to build the package, it's some confusing. Was upstream's position also to remove those binaries? Upstream was unable to provide a patch? Could you please elaborate more on why removing the mentioned files is the right thing to do? Cheers, and thanks for your work, -- Santiago signature.asc Description: PGP signature
Re: upload leptonlib
>So these files should be also removed from the package in wheezy and jessie? Yes.
Re: upload leptonlib
Security team: sorry for the lack of context in the message. Please see https://lists.debian.org/debian-lts/2018/02/msg00054.html and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830660 El 22/02/18 a las 22:35, Jeff Breidenbach escribió: >These binaries were removed in #830660. >>$ strings /usr/bin/printsplitimage | grep ^/tmp/ >>/tmp/split >>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/ >>/tmp/[1]junk_split_image.ps > > References > >Visible links >1. http://junk_split_image.ps/ So these files should be also removed from the package in wheezy and jessie? Cheers, -- Santiago signature.asc Description: PGP signature
Re: upload leptonlib
These binaries were removed in #830660. >$ strings /usr/bin/printsplitimage | grep ^/tmp/ >/tmp/split >$ strings /usr/bin/splitimage2pdf | grep ^/tmp/ >/tmp/junk_split_image.ps prune_unsafe_binaries.diff.gz Description: GNU Zip compressed data
Re: upload leptonlib
The remaining hardcoded /tmp filenames are believed to be in test and debug code paths.
Re: upload leptonlib
Hi Ben, On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote: > On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote: > > Hi Ben, > > > > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > > > Hello. > > > > > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > > > upload. > > > > > > > You can find debdiff along with the mail. > > > > > > > link: > > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > > > > > > > Abhijith, > > > > > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > > > upstream fix, I feel like their approach falls under item #2 of > > > > > > "The Six > > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I > > > > > > cannot > > > > > > help but wonder if another vulnerability will be uncovered later > > > > > > that > > > > > > uses different characters that are not being checked. > > > > > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > > > > > I'm afraid this library appears to have been written without any > > > > > regard > > > > > for security, or even the existence of multiuser systems. > > > > > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in > > > > > wheezy, > > > > > and I think there are more instances. > > > > > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but > > > > > I > > > > > can still see: > > > > > > > > [...] > > > > > > > > I've re-added the package to dla-needed.txt for #889759 / > > > > CVE-2018-3836. Should a new CVE be issued for #885704? > > > > > > I think additional CVEs are needed for: > > > > > > 1. #890548 > > > > This one has CVE-2018-7186. > > > > > 2. Incomplete fix for #889759 / CVE-2018-3836 > > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > > there is a possibility of path traversal and arbitrary file overwrite > > > 4. #885704 > > > 5. The remaining hardcoded paths in /tmp > > > > Have you already requested CVEs for the other issues? > > No I haven't. Alright, I will try to request the pending ones tonight. Regards, Salvatore
Re: upload leptonlib
On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote: > Hi Ben, > > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > > Hello. > > > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > > upload. > > > > > > You can find debdiff along with the mail. > > > > > > link: > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > > > > Abhijith, > > > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > > upstream fix, I feel like their approach falls under item #2 of "The > > > > > Six > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > > help but wonder if another vulnerability will be uncovered later that > > > > > uses different characters that are not being checked. > > > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > > > I'm afraid this library appears to have been written without any regard > > > > for security, or even the existence of multiuser systems. > > > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > > and I think there are more instances. > > > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > > can still see: > > > > > > [...] > > > > > > I've re-added the package to dla-needed.txt for #889759 / > > > CVE-2018-3836. Should a new CVE be issued for #885704? > > > > I think additional CVEs are needed for: > > > > 1. #890548 > > This one has CVE-2018-7186. > > > 2. Incomplete fix for #889759 / CVE-2018-3836 > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > there is a possibility of path traversal and arbitrary file overwrite > > 4. #885704 > > 5. The remaining hardcoded paths in /tmp > > Have you already requested CVEs for the other issues? No I haven't. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
Hi Ben, On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > Hello. > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > upload. > > > > > You can find debdiff along with the mail. > > > > > link: > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > Abhijith, > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > help but wonder if another vulnerability will be uncovered later that > > > > uses different characters that are not being checked. > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > I'm afraid this library appears to have been written without any regard > > > for security, or even the existence of multiuser systems. > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > and I think there are more instances. > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > can still see: > > > > [...] > > > > I've re-added the package to dla-needed.txt for #889759 / > > CVE-2018-3836. Should a new CVE be issued for #885704? > > I think additional CVEs are needed for: > > 1. #890548 This one has CVE-2018-7186. > 2. Incomplete fix for #889759 / CVE-2018-3836 > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > there is a possibility of path traversal and arbitrary file overwrite > 4. #885704 > 5. The remaining hardcoded paths in /tmp Have you already requested CVEs for the other issues? Regards, Salvatore
Re: upload leptonlib
On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > Hello. > > > > > > > > I prepared LTS security update for leptonlib. Please review and upload. > > > > You can find debdiff along with the mail. > > > > link: > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > Abhijith, > > > > > > I have reviewed and uploaded the package. While you backported the > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > help but wonder if another vulnerability will be uncovered later that > > > uses different characters that are not being checked. > > > > I found one already: it filters out `command` but not $(command). > > > > I'm afraid this library appears to have been written without any regard > > for security, or even the existence of multiuser systems. > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > and I think there are more instances. > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > can still see: > > [...] > > I've re-added the package to dla-needed.txt for #889759 / > CVE-2018-3836. Should a new CVE be issued for #885704? I think additional CVEs are needed for: 1. #890548 2. Incomplete fix for #889759 / CVE-2018-3836 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so there is a possibility of path traversal and arbitrary file overwrite 4. #885704 5. The remaining hardcoded paths in /tmp Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
On 2018-02-15 21:34:48, Ben Hutchings wrote: > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: >> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: >> > Hello. >> > >> > I prepared LTS security update for leptonlib. Please review and upload. >> > You can find debdiff along with the mail. >> > link: >> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc >> > >> >> Abhijith, >> >> I have reviewed and uploaded the package. While you backported the >> upstream fix, I feel like their approach falls under item #2 of "The Six >> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot >> help but wonder if another vulnerability will be uncovered later that >> uses different characters that are not being checked. > > I found one already: it filters out `command` but not $(command). > > I'm afraid this library appears to have been written without any regard > for security, or even the existence of multiuser systems. > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > and I think there are more instances. > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > can still see: [...] I've re-added the package to dla-needed.txt for #889759 / CVE-2018-3836. Should a new CVE be issued for #885704? A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Re: upload leptonlib
On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > Hello. > > > > I prepared LTS security update for leptonlib. Please review and upload. > > You can find debdiff along with the mail. > > link: > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > Abhijith, > > I have reviewed and uploaded the package. While you backported the > upstream fix, I feel like their approach falls under item #2 of "The Six > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > help but wonder if another vulnerability will be uncovered later that > uses different characters that are not being checked. I found one already: it filters out `command` but not $(command). I'm afraid this library appears to have been written without any regard for security, or even the existence of multiuser systems. Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, and I think there are more instances. Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I can still see: $ strings /usr/bin/printsplitimage | grep ^/tmp/ /tmp/split $ strings /usr/bin/splitimage2pdf | grep ^/tmp/ /tmp/junk_split_image.ps $ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/ /tmp/lept/baseline/diff /tmp/lept/baseline/diff.png /tmp/lept/baseline/loc /tmp/lept/baseline/loc.png /tmp/lept/baseline/skew /tmp/lept/baseline/baselines.png /tmp/threshroot /tmp/lept/plots/sides.%s /tmp/lept/plots/sides.%d /tmp/lept/plots/size.%s /tmp/lept/plots/size.%d /tmp/linfit/boxalr.ba /tmp/linfit/boxatb.ba /tmp/linfit/ptal.pta /tmp/linfit/ptar.pta /tmp/linfit/ptat.pta /tmp/linfit/ptab.pta /tmp/smooth/boxae.ba /tmp/smooth/boxao.ba /tmp/smooth/boxalfe.ba /tmp/smooth/boxalfo.ba /tmp/smooth/boxame.ba /tmp/smooth/boxamo.ba /tmp/smooth/boxamede.ba /tmp/smooth/boxamedo.ba ... Ben. > In any event, once you receive the ACCEPT notice from the archive > software you should be able to publish the DLA. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > Hello. > > I prepared LTS security update for leptonlib. Please review and upload. > You can find debdiff along with the mail. > link: > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > Abhijith, I have reviewed and uploaded the package. While you backported the upstream fix, I feel like their approach falls under item #2 of "The Six Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot help but wonder if another vulnerability will be uncovered later that uses different characters that are not being checked. In any event, once you receive the ACCEPT notice from the archive software you should be able to publish the DLA. Regards, -Roberto -- Roberto C. Sánchez
upload leptonlib
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. I prepared LTS security update for leptonlib. Please review and upload. You can find debdiff along with the mail. link: https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc I done following tests. - - Installed new build in a wheezy machine - - Tested against POC from https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 - - Ran all regression tests provided in prog/alltests_reg.c - - Ran prog/comparetest.c as it is one of the program which uses `gplot` -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt 9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB 5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q= =fUrC -END PGP SIGNATURE- diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog --- leptonlib-1.69/debian/changelog 2012-07-19 21:39:52.0 + +++ leptonlib-1.69/debian/changelog 2018-02-13 18:06:39.0 + @@ -1,3 +1,11 @@ +leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability +(closes: #889759) + + -- Abhijith PATue, 13 Feb 2018 23:36:39 +0530 + leptonlib (1.69-3.1) unstable; urgency=medium * Non-maintainer upload diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch leptonlib-1.69/debian/patches/CVE-2018-3836.patch --- leptonlib-1.69/debian/patches/CVE-2018-3836.patch 1970-01-01 00:00:00.0 + +++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch 2018-02-13 18:06:39.0 + @@ -0,0 +1,125 @@ +Description: Fix CVE-2018-3836.patch + An exploitable command injection vulnerability exists in the gplotMakeOutput + function of Leptonica. A specially crafted gplot rootname argument can cause a + command injection resulting in arbitrary code execution. + An attacker can provide a malicious path as input to an application that passes + attacker data to this function to trigger this vulnerability. Patch backported from + upstream. + +Author: Abhijith PA +Origin: https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch +Bug: https://github.com/DanBloomberg/leptonica/issues/303 +Bug-Debian: https://bugs.debian.org/889759 +Last-Update: 2018-02-13 + +Index: leptonlib-1.69/src/gplot.c +=== +--- leptonlib-1.69.orig/src/gplot.c leptonlib-1.69/src/gplot.c +@@ -129,9 +129,10 @@ gplotCreate(const char *rootname, + const char *xlabel, + const char *ylabel) + { +-char *newroot; +-charbuf[L_BUF_SIZE]; +-GPLOT *gplot; ++char*newroot; ++char buf[L_BUF_SIZE]; ++l_int32 badchar; ++GPLOT *gplot; + + PROCNAME("gplotCreate"); + +@@ -141,6 +142,9 @@ GPLOT *gplot; + outformat != GPLOT_EPS && outformat != GPLOT_X11 && + outformat != GPLOT_LATEX) + return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL); ++stringCheckForChars(rootname, "`;&|><\"?*", ); ++if (badchar) /* danger of command injection */ ++return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL); + + if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL) + return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL); +@@ -360,18 +364,10 @@ l_int32 ignore; + gplotGenDataFiles(gplot); + + #ifndef _WIN32 +-if (gplot->outformat != GPLOT_X11) +-snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname); +-else +-snprintf(buf, L_BUF_SIZE, +- "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname); ++snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname); + #else +- if (gplot->outformat != GPLOT_X11) +- snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname); +- else +- snprintf(buf, L_BUF_SIZE, +- "wgnuplot -persist %s", gplot->cmdname); +-#endif /* _WIN32 */ ++snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname); ++#endif /* _WIN32 */ + ignore = system(buf); + return 0; + } +Index: leptonlib-1.69/src/utils.c +=== +---