openSUSE has issued an advisory March 7: https://lists.opensuse.org/opensuse-updates/2018-03/msg00009.html The issues are fixed upstream in 1.75.3. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 1.75.3Whiteboard: (none) => MGA6TOO
Fedora has issued an advisory for this today (March 13): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HQE5K6K6RVMZIFF2TRE5XE74PK53JVPN/ It also mentions CVE-2017-18196.
Fedora 27 version of that same advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFF3IJGBSFE26GDEQXGVG7E62N4LZKRX/
leptonica-1.75.3 has been submitted to 6/updates_testing also mingw-leptonica-1.75.3 has been submitted to 6/updates_testing. For mingw-leptonica please just check that it installs as was done for https://bugs.mageia.org/show_bug.cgi?id=22591 Update Advisory ##################################### Package leptonica has been updated to the current stable version 1.75.3 which fixes: CVE-2018-3836 - Added additional bad characters, to prevent command injection by invoking it via $(command) CVE-2018-7186 - multiple stack-based buffer overflows in gplotRead() and ptaReadStream() CVE-2018-7247 - a buffer overflow in in src/viewfiles.c with unsanitized input (rootname) RPMS Affected #################################### lib64leptonica5-1.75.3-1.mga6.x86_64.rpm lib64leptonica-devel-1.75.3-1.mga6.x86_64.rpm leptonica-debuginfo-1.75.3-1.mga6.x86_64.rpm lib64leptonica5-1.75.3-1.mga6.i586.rpm lib64leptonica-devel-1.75.3-1.mga6.i586.rpm leptonica-debuginfo-1.75.3-1.mga6.i586.rpm From leptonica-1.75.3-1.mga6.src.rpm Testing #################################### Install tesseract which will pull in the current leptonica lib. Create a folder called ocrtest with test.tiff in it A compressed test.tiff is attached to bug #22591. cd ocrtest tesseract test.tiff output Check that output.txt is correct and delete it. Update lib64leptonica5 from updates_testing and repeat the above.
Assignee: zen25000 => qa-bugs
Please remove previous it included one CVE that was fixed in last update. This replaces it: leptonica-1.75.3 has been submitted to 6/updates_testing also mingw-leptonica-1.75.3 has been submitted to 6/updates_testing. For mingw-leptonica please just check that it installs as was done for https://bugs.mageia.org/show_bug.cgi?id=22591 Update Advisory ##################################### Package leptonica has been updated to the current stable version 1.75.3 which fixes: CVE-2018-7186 - multiple stack-based buffer overflows in gplotRead() and ptaReadStream() CVE-2018-7247 - a buffer overflow in in src/viewfiles.c with unsanitized input (rootname) RPMS Affected #################################### lib64leptonica5-1.75.3-1.mga6.x86_64.rpm lib64leptonica-devel-1.75.3-1.mga6.x86_64.rpm leptonica-debuginfo-1.75.3-1.mga6.x86_64.rpm lib64leptonica5-1.75.3-1.mga6.i586.rpm lib64leptonica-devel-1.75.3-1.mga6.i586.rpm leptonica-debuginfo-1.75.3-1.mga6.i586.rpm From leptonica-1.75.3-1.mga6.src.rpm Testing #################################### Install tesseract which will pull in the current leptonica lib. Create a folder called ocrtest with test.tiff in it A compressed test.tiff is attached to bug #22591. cd ocrtest tesseract test.tiff output Check that output.txt is correct and delete it. Update lib64leptonica5 from updates_testing and repeat the above.
CC: (none) => zen25000
Version: Cauldron => 6Status comment: Fixed upstream in 1.75.3 => (none)Whiteboard: MGA6TOO => (none)
Testing complete mga6 64 Downloaded test.tiff.xz from bug 22591. Extracted. $ xz -d test.tiff.xz Before ------ $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 $ cat output.txt 6. MAINTENANCE AND ADJUSTMENTS 6-1. GENERAL INFORMATION Notes 1. Record the date of purchase, serial number and dealer from whom purchased. ...etc Something about beard trimmers :D After ----- $ rm output.txt rm: remove regular file 'output.txt'? y $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 $ cat output.txt # More beards.. 6. MAINTENANCE AND ADJUSTMENTS 6-1. GENERAL INFORMATION Notes 1. Record the date of purchase, serial number and dealer from whom purchased. 2. For your own information, retain a written record of any maintenance performed on the unit.
Keywords: (none) => has_procedureWhiteboard: (none) => mga6-64-ok
Thanks yet again Claire for the test; validating. Advisory from c4. @Barry Comment 4 makes reference to pkg 'mingw-leptonica' which is not in the updated packages list, nor bug RPMs list. I doubt it matters.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
(In reply to Lewis Smith from comment #6) > Comment 4 makes reference to pkg 'mingw-leptonica' which is not in the > updated packages list, nor bug RPMs list. I doubt it matters. Actually it does at the very beginning of the comment. Make sure it is listed in the SVN advisory, otherwise it won't get pushed.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0175.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Please push mingw-leptonica.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
mingw-leptonica-1.75.3.mga6 added to advisory.
mingw-leptonica moved
CC: (none) => tmbResolution: (none) => FIXEDStatus: REOPENED => RESOLVED