openSUSE has issued an advisory on February 12: https://lists.opensuse.org/opensuse-updates/2018-02/msg00040.html The issue is fixed upstream in 1.75.1. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.75.1
Assigning to the registered maintainer.
Assignee: bugsquad => zen25000CC: (none) => marja11
(In reply to Marja van Waes from comment #1) > Assigning to the registered maintainer. Updated to 1.75.2 in Cauldron. No MGA5TOO? Or is it finally EOL? Also there is the question of mingw-leptonica. It uses the same source tarball so may also be affected by this? (neoclust). Maybe these should be done together?
CC: (none) => mageia
Mageia 5 EOL as of the end of last year, but it's kind of in zombie mode right now, dead but there's still some movement. That's because 1) we still haven't enabled the upgrade applet, 2) mga infrastructure is still using mga5, 3) and a lot of our users are still using due to various upgrade issues, Plasma issues, missing packages, etc. So we're doing some limited updates for it still, but only for important issues and packages, ones that impact servers or most systems. The leptonica library is only used by tesseract, so it definitely doesn't qualify. As for mingw, we really can't officially support that stuff and never have, but you should certainly update it in Cauldron too. As for whether you want to update it for mga6, we could just verify that it installs. It doesn't matter either way.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
leptonica-1.75.2 has been submitted to 6/updates_testing also leptonica-mingw-1.75.2 has been submitted to 6/updates_testing (see #3 last para) Update Advisory ##################################### Package leptonica has been updated to the current stable version 1.75.2 which fixes a security issue (potential injection attack using gplot rootdir) reported in CVE-2018-3836. RPMS Affected #################################### lib64leptonica5-1.75.2-1.mga6.x86_64.rpm lib64leptonica-devel-1.75.2-1.mga6.x86_64.rpm leptonica-debuginfo-1.75.2-1.mga6.x86_64.rpm lib64leptonica5-1.75.2-1.mga6.i586.rpm lib64leptonica-devel-1.75.2-1.mga6.i586.rpm leptonica-debuginfo-1.75.2-1.mga6.i586.rpm From leptonica-1.75.2-1.mga7.src.rpm Testing #################################### Install tesseract which will pull in the current leptonica. Create a folder called ocrtest with test.tiff (attached below) in it. cd ocrtest tesseract test.tiff output Check that output.txt is correct and delete it. Update lib64leptonica5 from updates_testing and repeat the above. Regarding mingw-leptonica, simply check that it installs (see #3 last para)
Assignee: zen25000 => qa-bugs
Created attachment 10001 [details] Test scan (compressed with xz) I had to compress the tiff so please extract it.
CC: (none) => zen25000
Oops, please correct the SRPM distsuffix to Mga6.
Keywords: (none) => advisory, has_procedure
Mageia 6 :: x86_64 Thanks for the test procedure Barry. $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 output.txt contained the transcript from the test image. Updated leptonica but leptonica-mingw has not reached the mirrors and is not listed on coffee updates testing. Later maybe. - lib64leptonica-devel-1.75.2-1.mga6 - lib64leptonica5-1.75.2-1.mga6 Ran the ocr test again. $ diff output.txt output_preupdate.txt $ So, the security update has not broken anything. OK for 64-bit. Leaving the confirmation flag until the leptonica-mingw package turns up.
CC: (none) => tarazed25
Hi Len, Sorry I should have listed the rpms [baz@leno ~]$ urpmq -yf mingw|grep lept mingw32-leptonica-1.75.2-1.mga6.noarch mingw32-leptonica-static-1.75.2-1.mga6.noarch mingw64-leptonica-1.75.2-1.mga6.noarch mingw64-leptonica-static-1.75.2-1.mga6.noarch Just confirm that they install - nothing more - thanks, Barry
Ta. They installed fine, pulling in about a dozen packages. $ rpm -qa | grep mingw mingw64-filesystem-101-1.mga6 mingw64-headers-5.0.1-1.mga6 mingw-filesystem-base-101-1.mga6 mingw64-gcc-6.1.0-1.mga6 mingw64-libjpeg-turbo-1.4.2-1.mga6 mingw64-binutils-2.26-1.mga6 mingw64-libwebp-0.5.2-1.mga6 mingw64-crt-5.0-0.1.rc2.1.mga6 mingw-binutils-generic-2.26-1.mga6 mingw64-libtiff-4.0.7-1.mga6 mingw64-libpng-1.6.21-2.mga6 mingw64-winpthreads-5.0-0.1.rc2.mga6 mingw64-gcc-c++-6.1.0-1.mga6 mingw64-cpp-6.1.0-1.mga6 mingw64-zlib-1.2.8-5.mga6 mingw64-leptonica-static-1.75.2-1.mga6 mingw64-giflib-5.1.4-1.mga6 mingw64-leptonica-1.75.2-1.mga6 mingw64-pkg-config-0.28-7.mga6 So, OK for 64-bit. I shall run the 32-bit stuff through virtualbox unless somebody beats me to it.
Whiteboard: (none) => MGA6-64-OK
Re comment 4: typo for i586 packages (lib64*) Mageia 6 :: i586 in virtualbox Installed tesseract and mingw32. $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 output.txt matches the tiff image contents. Deleted output.txt. Ran the updates. Clean install of all packages. $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 output.txt is the same as before. Good for 32-bit. Validating.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0154.html
Status: NEW => RESOLVEDResolution: (none) => FIXED