Bugzilla – Bug 1079358
VUL-0: CVE-2018-3836: leptonica: gplotMakeOutput command injection
Last modified: 2018-03-06 23:44:58 UTC
rh#1542005 An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 References: https://bugzilla.redhat.com/show_bug.cgi?id=1542005 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3836
Fixed upstream in 1.75.1. Fixed for openSUSE:Factory already, SR for openSUSE:Leap:42.3: 573621
https://build.opensuse.org/request/show/573621
https://build.opensuse.org/request/show/573635
openSUSE-SU-2018:0429-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1079358 CVE References: CVE-2018-3836 Sources used: openSUSE Leap 42.3 (src): leptonica-1.72-6.1
released
Issue still not fixed, as $(command) still works :-/ See: https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212
This is an autogenerated message for OBS integration: This bug (1079358) was mentioned in https://build.opensuse.org/request/show/579554 42.3 / leptonica
release for Leap
openSUSE-SU-2018:0615-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1079358,1081576,1081631 CVE References: CVE-2018-3836,CVE-2018-7186,CVE-2018-7247 Sources used: openSUSE Leap 42.3 (src): leptonica-1.72-9.1