Bug 23130

Summary: leptonica new security issues CVE-2018-7440 and CVE-2018-7442
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25, zen25000
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: leptonica-1.75.3-1.mga7.src.rpm CVE:
Status comment: Fixed upstream in 1.76.0

Description David Walser 2018-06-07 19:26:50 CEST 
Fedora has issued an advisory on May 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WQW5PHZGVNBQR4NN3HULQGVXLFM52EE4/

The issues are fixed upstream in 1.76.0.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-07 19:27:06 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.76.0

Comment 1 Barry Jackson 2018-06-07 22:46:44 CEST 
leptonica-1.76.0 has been submitted to 6/updates_testing
also
leptonica-mingw-1.76.0 has been submitted to 6/updates_testing

Update Advisory
#####################################

This update fixes a security issue (potential injection attack using gplot rootdir) originally reported in CVE-2018-3836.
This fix was incomplete and again reported in CVE-2018-7440 and CVE-2018-7442.
The improved fix is included in leptonica-1.76.0.

References
https://bugzilla.redhat.com/show_bug.cgi?id=1549735
https://bugzilla.redhat.com/show_bug.cgi?id=1549729
https://bugs.mageia.org/show_bug.cgi?id=22591
https://bugs.mageia.org/show_bug.cgi?id=23130

RPMS Affected
####################################

lib64leptonica5-1.76.0-1.mga6.x86_64.rpm
lib64leptonica-devel-1.76.0-1.mga6.x86_64.rpm
leptonica-debuginfo-1.76.0-1.mga6.x86_64.rpm

libleptonica5-1.76.0-1.mga6.i586.rpm
libleptonica-devel-1.76.0-1.mga6.i586.rpm
leptonica-debuginfo-1.76.0-1.mga6.i586.rpm

From
leptonica-1.76.0-1.mga7.src.rpm

Testing
####################################

Install tesseract which will pull in the current leptonica.
Create a folder called ocrtest and download https://bugs.mageia.org/attachment.cgi?id=10001 into it and extract the file (test.tiff).

cd ocrtest
tesseract test.tiff output

Check that output.txt is correct and delete it.

Update lib(64)leptonica5 from updates_testing and repeat the above.

Regarding mingw-leptonica, simply check that it installs.
Barry Jackson 2018-06-07 22:50:29 CEST

Assignee: zen25000 => qa-bugs

David Walser 2018-06-07 23:03:32 CEST

Whiteboard: MGA6TOO => (none)
CC: (none) => zen25000
Version: Cauldron => 6

Comment 2 Len Lawrence 2018-06-10 09:07:33 CEST 
Mageia 6, x86_64

$ urpmq --fuzzy -r leptonica
lib64leptonica-devel-1.75.3-1.mga6
lib64leptonica5-1.75.3-1.mga6
libleptonica-devel-1.75.3-1.mga6
libleptonica5-1.75.3-1.mga6
mingw32-leptonica-1.75.3-1.mga6
mingw32-leptonica-static-1.75.3-1.mga6
mingw64-leptonica-1.75.3-1.mga6
mingw64-leptonica-static-1.75.3-1.mga6

$ unxz test.tiff.xz
$ display test.tiff &
$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

Checked output.txt against the image displayed.  All correct.

Updated leptonica (without debug testing repositories enabled) and ran the test again.
$ rpm -qa | grep leptonica
lib64leptonica5-1.76.0-1.mga6
lib64leptonica-devel-1.76.0-1.mga6

The output text was correct.
$ diff output.txt before.txt
$

Installed mingw64-leptonica (18 packages) then updated it from testing.  Clean install of mingw64-leptonica-1.76.0-1.mga6.noarch.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 3 claire robinson 2018-06-14 18:10:34 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2018-06-14 18:38:32 CEST 
Advisoried

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-06-14 20:16:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0279.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED