Bug 31266

Summary:	leptonica new security issue CVE-2022-38266
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, zen25000
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	leptonica-1.80.0-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-12-12 16:33:12 CET

Debian-LTS has issued an advisory on December 8:
https://www.debian.org/lts/security/2022/dla-3233

The issue is fixed upstream in 1.81.0.

David Walser 2022-12-12 16:33:20 CET

Status comment: (none) => Fixed upstream in 1.81.0

Comment 1 Barry Jackson 2022-12-12 17:19:42 CET

Thanks David.

Comment 2 Barry Jackson 2022-12-12 19:55:18 CET

Packages:
leptonica-1.81.0
mingw-leptonica-1.81.0

have been submitted to 8/updates_testing

##########################
Advisory:

This update fixes a denial of service vulnerability in leptonlib.
It can be made to crash with an arithmetic exception on specially crafted JPEG files.
Reported in CVE-2022-38266.

##########################
References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38266
https://bugs.mageia.org/show_bug.cgi?id=31266
https://www.debian.org/lts/security/2022/dla-3233

##########################
Affected files:

lib64leptonica-devel-1.81.0-1.mga8.x86_64.rpm
lib64leptonica5-1.81.0-1.mga8.x86_64.rpm
lib64leptonica5-debuginfo-1.81.0-1.mga8.x86_64.rpm
leptonica-debugsource-1.81.0-1.mga8.x86_64.rpm

libleptonica-devel-1.81.0-1.mga8.i586.rpm
libleptonica5-1.81.0-1.mga8.i586.rpm
libleptonica5-debuginfo-1.81.0-1.mga8.i586.rpm
leptonica-debugsource-1.81.0-1.mga8.i586.rpm

mingw32-leptonica-debuginfo-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-debuginfo-1.81.0-1.mga8.noarch.rpm
mingw32-leptonica-static-1.81.0-1.mga8.noarch.rpm
mingw32-leptonica-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-static-1.81.0-1.mga8.noarch.rpm

From:
leptonica-1.81.0-1.mga8.src.rpm
mingw-leptonica-1.81.0-1.mga8.src.rpm

Assignee: zen25000 => qa-bugs

David Walser 2022-12-12 21:30:42 CET

CC: (none) => zen25000
Status comment: Fixed upstream in 1.81.0 => (none)

Comment 3 David Walser 2022-12-13 01:09:16 CET

mingw64-leptonica-1.81.0-1.mga8
mingw32-leptonica-1.81.0-1.mga8
mingw32-leptonica-static-1.81.0-1.mga8
mingw64-leptonica-static-1.81.0-1.mga8
libleptonica-devel-1.81.0-1.mga8
libleptonica5-1.81.0-1.mga8

from SRPMS:
leptonica-1.81.0-1.mga8.src.rpm
mingw-leptonica-1.81.0-1.mga8.src.rpm

Comment 4 Herman Viaene 2022-12-16 15:08:51 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues, just taking the 64-versions and omitting the debug packages.
Ref. bug 28994 Comment 4, using Len's test file
$ tesseract test.tiff test1 --psm 4
Tesseract Open Source OCR Engine v4.1.1 with Leptonica
Page 1
and getting the same result with the same remark on alignment
So OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2022-12-16 19:53:00 CET

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-17 18:25:34 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-12-17 19:49:36 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0472.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED