Debian Bug report logs -
#898439
leptonlib: CVE-2018-7442
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 11 May 2018 17:21:01 UTC
Severity: important
Tags: security, upstream
Found in version leptonlib/1.75.3-1
Fixed in version leptonlib/1.76.0-1
Done: Jeff Breidenbach <jeff@jab.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeff Breidenbach <jab@debian.org>
:
Bug#898439
; Package src:leptonlib
.
(Fri, 11 May 2018 17:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeff Breidenbach <jab@debian.org>
.
(Fri, 11 May 2018 17:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: leptonlib
Version: 1.75.3-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for leptonlib, I think this
one was never reported yet directly to the BTS (nor upstream?).
CVE-2018-7442[0]:
| An issue was discovered in Leptonica through 1.75.3. The
| gplotMakeOutput function does not block '/' characters in the gplot
| rootname argument, potentially leading to path traversal and arbitrary
| file overwrite.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7442
[1] https://lists.debian.org/debian-lts/2018/02/msg00086.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>
:
Bug#898439
; Package src:leptonlib
.
(Fri, 11 May 2018 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeff Breidenbach <jeff@jab.org>
:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>
.
(Fri, 11 May 2018 19:03:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Believed fixed in Debian package 1.76.0-1
Status of various vulnerabilities, as per upstream:
* CVE-2018-7442: potential injection attack because '/' is allowed
in gplot rootdir.
Functions using this command have been disabled by default in the
distribution, starting with 1.76.0. As for the specific issue, it
is impossible to specify a general path without using the standard
directory subdivider '/'.
* CVE-2018-7186: number of characters not limited in fscanf or
sscanf,
allowing possible attack with buffer overflow.
This has been fixed in 1.75.3.
* CVE-2018-3836: command injection vulnerability in
gplotMakeOutput().
This has been fixed in 1.75.3, using stringCheckForChars() to
block
rootnames containing any of: ;&|>"?*$()/<
* CVE-2017-18196: duplicated path components.
This was fixed in 1.75.3.
* CVE-2018-7441: hardcoded /tmp pathnames.
These are all wrapped in special debug functions that are not
enabled by default in the distribution, starting with 1.76.0.
* CVE-2018-7247: input 'rootname' can overflow a buffer.
This was fixed in 1.76.0, using snprintf().
* CVE-2018-7440: command injection in gplotMakeOutput using
$(command).
Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
[Message part 2 (text/html, inline)]
Reply sent
to Jeff Breidenbach <jeff@jab.org>
:
You have taken responsibility.
(Fri, 11 May 2018 19:03:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 11 May 2018 19:03:09 GMT) (full text, mbox, link).
Marked as fixed in versions leptonlib/1.76.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 11 May 2018 19:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeff Breidenbach <jab@debian.org>
:
Bug#898439
; Package src:leptonlib
.
(Fri, 11 May 2018 19:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jeff Breidenbach <jab@debian.org>
.
(Fri, 11 May 2018 19:18:02 GMT) (full text, mbox, link).
Message #22 received at 898439@bugs.debian.org (full text, mbox, reply):
Hi,
On Fri, May 11, 2018 at 12:01:02PM -0700, Jeff Breidenbach wrote:
> Believed fixed in Debian package 1.76.0-1
>
> Status of various vulnerabilities, as per upstream:
>
> * CVE-2018-7442: potential injection attack because '/' is allowed
> in gplot rootdir.
> Functions using this command have been disabled by default in the
> distribution, starting with 1.76.0. As for the specific issue, it
> is impossible to specify a general path without using the standard
> directory subdivider '/'.
Ah good, I missed your unstable upload from yesterday.
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 13 Jun 2018 07:26:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:47:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.