-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : leptonlib Version : 1.69-3.1+deb7u1 CVE ID : CVE-2018-3836 Debian Bug : 889759
Talosintelligence discovered a command injection vulnerability in the gplotMakeOutput function of leptonlib. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability. For Debian 7 "Wheezy", these problems have been fixed in version 1.69-3.1+deb7u1. We recommend that you upgrade your leptonlib packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqFVRYACgkQhj1N8u2c KO+JrQ//WQAuSSEkIOetjtAR8k1Lar9sj6Qc3rQL0LF2jXFr4CvkMJdrOYLm/2UA 9yNXJ5lc2JbAvECfnWWVlQHiULEwgEmrxG5KhzlWP6UP+wkC2ua6ialtgLZswloT NOTCosFucwGwulh8WhVy0AJvvqlD9ksB604QG6HxtaMgZoFx97GLvCmsPCRAbs4v KXp5BmJMSaoVBj9XyfNKNTsBF5cMwHLR8pnQdGFrx3X+dfYZvi31JWuliLYILjJu ZfpLyd1iBEKzwXsLxsEcpK1hdDp146MNJvI5JTON+cQ9tty0FeUnGCUj0/LE/LtO +k3o74hUtRbw/Jga7VmJtyp97bXRgTggMZ18mwjRciVBDuwCF1sUNAeCHt8dBQI5 ZFHF7vL5YGqf1kqXtRytdYNrhQQVCZK8Mh/zsE0J5njyt55ilxwecPjqFXhASdW9 p+5w8/IkCNnVHc5n2ASt5aiWBJwJUeRTe3IrnzkAHy5RiYK8GaxlTbumP1XKhJzp V7RYhr/vpWBc+pkfxYIpnbY0f4YcJB9CfI++HEsTsQOF1v5ElWmeUGp2v9nvopR6 YKlvED2V2sfOvZwdDr7CeYzaSkhFM9BXCgVQ/qOsIGhxlnf+7hlIeL8x4BtYLq2w hsv4WzGFCTxW6zjGl2DckfRvvBZnsQuRBRivc78HIacALa0bERE= =PSHC -----END PGP SIGNATURE-----