CVE-2018-7440 gplotMakeOutput() command injection vulnerability

Debian Bug report logs - #891932
CVE-2018-7440 gplotMakeOutput() command injection vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Santiago R.R." <santiagorr@riseup.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-7440 gplotMakeOutput() command injection vulnerability

Date: Fri, 2 Mar 2018 19:14:44 +0100

[Message part 1 (text/plain, inline)]

Source: leptonlib
Version: 1.75.3-2
Severity: grave
Tags: security patch

Hi,

the following vulnerability was published for leptonlib.

CVE-2018-7440[0]:
| An issue was discovered in Leptonica through 1.75.3. The
| gplotMakeOutput function allows command injection via a $(command)
| approach in the gplot rootname argument. This issue exists because of
| an incomplete fix for CVE-2018-3836.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7440
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7440

An upstream patch is available at:

    https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 891932-done@bugs.debian.org (full text, mbox, reply):

From: Jeff Breidenbach <jeff@jab.org>

To: 891932-done@bugs.debian.org

Subject: CVE-2018-7440 gplotMakeOutput() command injection vulnerability

Date: Thu, 29 Mar 2018 12:53:37 -0700

[Message part 1 (text/plain, inline)]

This was fixed in 1.75.3-3.  I had  a typo in the changelog so the
upload closed the wrong bug.

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.