Your message dated Thu, 29 Mar 2018 12:53:37 -0700
with message-id
<cahjiubrnxvbccw0aa2rjwglhngtlw-r4ajzbgpfapqdbvqt...@mail.gmail.com>
and subject line CVE-2018-7440 gplotMakeOutput() command injection vulnerability
has caused the Debian Bug report #891932,
regarding CVE-2018-7440 gplotMakeOutput() command injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
891932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: leptonlib
Version: 1.75.3-2
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for leptonlib.
CVE-2018-7440[0]:
| An issue was discovered in Leptonica through 1.75.3. The
| gplotMakeOutput function allows command injection via a $(command)
| approach in the gplot rootname argument. This issue exists because of
| an incomplete fix for CVE-2018-3836.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7440
An upstream patch is available at:
https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
Please adjust the affected versions in the BTS as needed.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
This was fixed in 1.75.3-3. I had a typo in the changelog so the
upload closed the wrong bug.
--- End Message ---
