Bug 22591 - leptonica new security issue CVE-2018-3836
Summary: leptonica new security issue CVE-2018-3836
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-14 12:38 CET by David Walser
Modified: 2018-03-01 22:28 CET (History)
5 users (show)

See Also:
Source RPM: leptonica-1.75.0-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 1.75.1


Attachments
Test scan (compressed with xz) (380.01 KB, application/octet-stream)
2018-02-23 13:57 CET, Barry Jackson
Details

Description David Walser 2018-02-14 12:38:58 CET
openSUSE has issued an advisory on February 12:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00040.html

The issue is fixed upstream in 1.75.1.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-14 12:39:24 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.75.1

Comment 1 Marja Van Waes 2018-02-14 17:01:30 CET
Assigning to the registered maintainer.

Assignee: bugsquad => zen25000
CC: (none) => marja11

Comment 2 Barry Jackson 2018-02-16 00:28:13 CET
(In reply to Marja van Waes from comment #1)
> Assigning to the registered maintainer.

Updated to 1.75.2 in Cauldron.

No MGA5TOO? Or is it finally EOL?

Also there is the question of mingw-leptonica. It uses the same source tarball so may also be affected by this? (neoclust). Maybe these should be done together?
Barry Jackson 2018-02-16 00:38:37 CET

CC: (none) => mageia

Comment 3 David Walser 2018-02-16 17:42:08 CET
Mageia 5 EOL as of the end of last year, but it's kind of in zombie mode right now, dead but there's still some movement.  That's because 1) we still haven't enabled the upgrade applet, 2) mga infrastructure is still using mga5, 3) and a lot of our users are still using due to various upgrade issues, Plasma issues, missing packages, etc.  So we're doing some limited updates for it still, but only for important issues and packages, ones that impact servers or most systems.  The leptonica library is only used by tesseract, so it definitely doesn't qualify.

As for mingw, we really can't officially support that stuff and never have, but you should certainly update it in Cauldron too.  As for whether you want to update it for mga6, we could just verify that it installs.  It doesn't matter either way.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Barry Jackson 2018-02-23 13:45:42 CET
leptonica-1.75.2 has been submitted to 6/updates_testing
also
leptonica-mingw-1.75.2 has been submitted to 6/updates_testing (see #3 last para)

Update Advisory
#####################################

Package leptonica has been updated to the current stable version 1.75.2 which fixes a security issue (potential injection attack using gplot rootdir) reported in CVE-2018-3836.

RPMS Affected
####################################

lib64leptonica5-1.75.2-1.mga6.x86_64.rpm
lib64leptonica-devel-1.75.2-1.mga6.x86_64.rpm
leptonica-debuginfo-1.75.2-1.mga6.x86_64.rpm

lib64leptonica5-1.75.2-1.mga6.i586.rpm
lib64leptonica-devel-1.75.2-1.mga6.i586.rpm
leptonica-debuginfo-1.75.2-1.mga6.i586.rpm

From
leptonica-1.75.2-1.mga7.src.rpm

Testing
####################################

Install tesseract which will pull in the current leptonica.
Create a folder called ocrtest with test.tiff (attached below) in it.

cd ocrtest
tesseract test.tiff output

Check that output.txt is correct and delete it.

Update lib64leptonica5 from updates_testing and repeat the above.

Regarding mingw-leptonica, simply check that it installs (see #3 last para)

Assignee: zen25000 => qa-bugs

Comment 5 Barry Jackson 2018-02-23 13:57:07 CET
Created attachment 10001 [details]
Test scan (compressed with xz)

I had to compress the tiff so please extract it.

CC: (none) => zen25000

Comment 6 Barry Jackson 2018-02-23 13:59:52 CET
Oops, please correct the SRPM distsuffix to Mga6.
claire robinson 2018-02-28 17:18:16 CET

Keywords: (none) => advisory, has_procedure

Comment 7 Len Lawrence 2018-03-01 12:15:56 CET
Mageia 6 :: x86_64

Thanks for the test procedure Barry.

$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

output.txt contained the transcript from the test image.

Updated leptonica but leptonica-mingw has not reached the mirrors and is not listed on coffee updates testing.  Later maybe.
- lib64leptonica-devel-1.75.2-1.mga6
- lib64leptonica5-1.75.2-1.mga6

Ran the ocr test again.
$ diff output.txt output_preupdate.txt
$

So, the security update has not broken anything.  OK for 64-bit.
Leaving the confirmation flag until the leptonica-mingw package turns up.

CC: (none) => tarazed25

Comment 8 Barry Jackson 2018-03-01 14:57:25 CET
Hi Len,
Sorry I should have listed the rpms

[baz@leno ~]$ urpmq -yf mingw|grep lept
mingw32-leptonica-1.75.2-1.mga6.noarch
mingw32-leptonica-static-1.75.2-1.mga6.noarch
mingw64-leptonica-1.75.2-1.mga6.noarch
mingw64-leptonica-static-1.75.2-1.mga6.noarch

Just confirm that they install - nothing more - thanks,

Barry
Comment 9 Len Lawrence 2018-03-01 19:55:26 CET
Ta.
They installed fine, pulling in about a dozen packages.
$ rpm -qa | grep mingw
mingw64-filesystem-101-1.mga6
mingw64-headers-5.0.1-1.mga6
mingw-filesystem-base-101-1.mga6
mingw64-gcc-6.1.0-1.mga6
mingw64-libjpeg-turbo-1.4.2-1.mga6
mingw64-binutils-2.26-1.mga6
mingw64-libwebp-0.5.2-1.mga6
mingw64-crt-5.0-0.1.rc2.1.mga6
mingw-binutils-generic-2.26-1.mga6
mingw64-libtiff-4.0.7-1.mga6
mingw64-libpng-1.6.21-2.mga6
mingw64-winpthreads-5.0-0.1.rc2.mga6
mingw64-gcc-c++-6.1.0-1.mga6
mingw64-cpp-6.1.0-1.mga6
mingw64-zlib-1.2.8-5.mga6
mingw64-leptonica-static-1.75.2-1.mga6
mingw64-giflib-5.1.4-1.mga6
mingw64-leptonica-1.75.2-1.mga6
mingw64-pkg-config-0.28-7.mga6

So, OK for 64-bit.
I shall run the 32-bit stuff through virtualbox unless somebody beats me to it.
Len Lawrence 2018-03-01 19:55:40 CET

Whiteboard: (none) => MGA6-64-OK

Comment 10 Len Lawrence 2018-03-01 20:37:00 CET
Re comment 4: typo for i586 packages (lib64*)

Mageia 6 :: i586 in virtualbox

Installed tesseract and mingw32.
$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

output.txt  matches the tiff image contents.  
Deleted output.txt.

Ran the updates.
Clean install of all packages.

$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

output.txt is the same as before.

Good for 32-bit.  Validating.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Len Lawrence 2018-03-01 20:37:48 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2018-03-01 22:28:46 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0154.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.