Bug 22742 - leptonica new security issues CVE-2018-7186 and CVE-2018-7247
Summary: leptonica new security issues CVE-2018-7186 and CVE-2018-7247
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-11 15:53 CET by David Walser
Modified: 2018-03-22 23:11 CET (History)
3 users (show)

See Also:
Source RPM: leptonica-1.75.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-03-11 15:53:31 CET
openSUSE has issued an advisory March 7:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00009.html

The issues are fixed upstream in 1.75.3.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-11 15:53:46 CET

Status comment: (none) => Fixed upstream in 1.75.3
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-03-13 23:19:23 CET
Fedora has issued an advisory for this today (March 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HQE5K6K6RVMZIFF2TRE5XE74PK53JVPN/

It also mentions CVE-2017-18196.
Comment 3 Barry Jackson 2018-03-15 22:57:19 CET
leptonica-1.75.3 has been submitted to 6/updates_testing
also
mingw-leptonica-1.75.3 has been submitted to 6/updates_testing.

For mingw-leptonica please just check that it installs as was done for
https://bugs.mageia.org/show_bug.cgi?id=22591

Update Advisory
#####################################

Package leptonica has been updated to the current stable version 1.75.3 which fixes:
CVE-2018-3836 - Added additional bad characters, to prevent command
injection by invoking it via $(command)

CVE-2018-7186 - multiple stack-based buffer overflows in
gplotRead() and ptaReadStream()

CVE-2018-7247 - a buffer overflow in in src/viewfiles.c with
unsanitized input (rootname)

RPMS Affected
####################################

lib64leptonica5-1.75.3-1.mga6.x86_64.rpm
lib64leptonica-devel-1.75.3-1.mga6.x86_64.rpm
leptonica-debuginfo-1.75.3-1.mga6.x86_64.rpm

lib64leptonica5-1.75.3-1.mga6.i586.rpm
lib64leptonica-devel-1.75.3-1.mga6.i586.rpm
leptonica-debuginfo-1.75.3-1.mga6.i586.rpm

From
leptonica-1.75.3-1.mga6.src.rpm

Testing
####################################

Install tesseract which will pull in the current leptonica lib.
Create a folder called ocrtest with test.tiff in it
A compressed test.tiff is attached to bug #22591.

cd ocrtest
tesseract test.tiff output

Check that output.txt is correct and delete it.

Update lib64leptonica5 from updates_testing and repeat the above.

Assignee: zen25000 => qa-bugs

Comment 4 Barry Jackson 2018-03-15 23:01:57 CET
Please remove previous it included one CVE that was fixed in last update.
This replaces it:

leptonica-1.75.3 has been submitted to 6/updates_testing
also
mingw-leptonica-1.75.3 has been submitted to 6/updates_testing.

For mingw-leptonica please just check that it installs as was done for
https://bugs.mageia.org/show_bug.cgi?id=22591

Update Advisory
#####################################

Package leptonica has been updated to the current stable version 1.75.3 which fixes:

CVE-2018-7186 - multiple stack-based buffer overflows in
gplotRead() and ptaReadStream()

CVE-2018-7247 - a buffer overflow in in src/viewfiles.c with
unsanitized input (rootname)

RPMS Affected
####################################

lib64leptonica5-1.75.3-1.mga6.x86_64.rpm
lib64leptonica-devel-1.75.3-1.mga6.x86_64.rpm
leptonica-debuginfo-1.75.3-1.mga6.x86_64.rpm

lib64leptonica5-1.75.3-1.mga6.i586.rpm
lib64leptonica-devel-1.75.3-1.mga6.i586.rpm
leptonica-debuginfo-1.75.3-1.mga6.i586.rpm

From
leptonica-1.75.3-1.mga6.src.rpm

Testing
####################################

Install tesseract which will pull in the current leptonica lib.
Create a folder called ocrtest with test.tiff in it
A compressed test.tiff is attached to bug #22591.

cd ocrtest
tesseract test.tiff output

Check that output.txt is correct and delete it.

Update lib64leptonica5 from updates_testing and repeat the above.

CC: (none) => zen25000

David Walser 2018-03-15 23:10:53 CET

Version: Cauldron => 6
Status comment: Fixed upstream in 1.75.3 => (none)
Whiteboard: MGA6TOO => (none)

Comment 5 claire robinson 2018-03-16 19:05:11 CET
Testing complete mga6 64

Downloaded test.tiff.xz from bug 22591. Extracted.
$ xz -d test.tiff.xz 

Before
------
$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

$ cat output.txt
6. MAINTENANCE AND ADJUSTMENTS

 

6-1. GENERAL INFORMATION Notes

1. Record the date of purchase, serial number and
dealer from whom purchased.
...etc


Something about beard trimmers :D

After
-----
$ rm output.txt
rm: remove regular file 'output.txt'? y

$ tesseract test.tiff output
Tesseract Open Source OCR Engine v3.04.01 with Leptonica
Page 1

$ cat output.txt # More beards..
6. MAINTENANCE AND ADJUSTMENTS

 

6-1. GENERAL INFORMATION Notes

1. Record the date of purchase, serial number and
dealer from whom purchased.

2. For your own information, retain a written record
of any maintenance performed on the unit.

Keywords: (none) => has_procedure
Whiteboard: (none) => mga6-64-ok

Comment 6 Lewis Smith 2018-03-17 21:24:36 CET
Thanks yet again Claire for the test; validating.
Advisory from c4.

@Barry
Comment 4 makes reference to pkg 'mingw-leptonica' which is not in the updated packages list, nor bug RPMs list. I doubt it matters.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2018-03-17 22:47:13 CET
(In reply to Lewis Smith from comment #6)
> Comment 4 makes reference to pkg 'mingw-leptonica' which is not in the
> updated packages list, nor bug RPMs list. I doubt it matters.

Actually it does at the very beginning of the comment.  Make sure it is listed in the SVN advisory, otherwise it won't get pushed.
Comment 8 Mageia Robot 2018-03-19 13:14:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2018-03-19 13:47:01 CET
Please push mingw-leptonica.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 10 claire robinson 2018-03-19 17:17:15 CET
mingw-leptonica-1.75.3.mga6 added to advisory.
Comment 11 Thomas Backlund 2018-03-22 23:11:41 CET
mingw-leptonica moved

CC: (none) => tmb
Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.