Your message dated Fri, 11 May 2018 12:01:02 -0700
with message-id
<CAHjiUbpYzd=2zDRx3_PScyFCXgFncWoVb2y5V_=deaxm_x_...@mail.gmail.com>
and subject line Re: Bug#898439: leptonlib: CVE-2018-7442
has caused the Debian Bug report #898439,
regarding leptonlib: CVE-2018-7442
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
898439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898439
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: leptonlib
Version: 1.75.3-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for leptonlib, I think this
one was never reported yet directly to the BTS (nor upstream?).
CVE-2018-7442[0]:
| An issue was discovered in Leptonica through 1.75.3. The
| gplotMakeOutput function does not block '/' characters in the gplot
| rootname argument, potentially leading to path traversal and arbitrary
| file overwrite.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7442
[1] https://lists.debian.org/debian-lts/2018/02/msg00086.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Believed fixed in Debian package 1.76.0-1
Status of various vulnerabilities, as per upstream:
* CVE-2018-7442: potential injection attack because '/' is allowed
in gplot rootdir.
Functions using this command have been disabled by default in the
distribution, starting with 1.76.0. As for the specific issue, it
is impossible to specify a general path without using the standard
directory subdivider '/'.
* CVE-2018-7186: number of characters not limited in fscanf or
sscanf,
allowing possible attack with buffer overflow.
This has been fixed in 1.75.3.
* CVE-2018-3836: command injection vulnerability in
gplotMakeOutput().
This has been fixed in 1.75.3, using stringCheckForChars() to
block
rootnames containing any of: ;&|>"?*$()/<
* CVE-2017-18196: duplicated path components.
This was fixed in 1.75.3.
* CVE-2018-7441: hardcoded /tmp pathnames.
These are all wrapped in special debug functions that are not
enabled by default in the distribution, starting with 1.76.0.
* CVE-2018-7247: input 'rootname' can overflow a buffer.
This was fixed in 1.76.0, using snprintf().
* CVE-2018-7440: command injection in gplotMakeOutput using
$(command).
Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
--- End Message ---
