Fedora has issued an advisory on May 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WQW5PHZGVNBQR4NN3HULQGVXLFM52EE4/ The issues are fixed upstream in 1.76.0. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.76.0
leptonica-1.76.0 has been submitted to 6/updates_testing also leptonica-mingw-1.76.0 has been submitted to 6/updates_testing Update Advisory ##################################### This update fixes a security issue (potential injection attack using gplot rootdir) originally reported in CVE-2018-3836. This fix was incomplete and again reported in CVE-2018-7440 and CVE-2018-7442. The improved fix is included in leptonica-1.76.0. References https://bugzilla.redhat.com/show_bug.cgi?id=1549735 https://bugzilla.redhat.com/show_bug.cgi?id=1549729 https://bugs.mageia.org/show_bug.cgi?id=22591 https://bugs.mageia.org/show_bug.cgi?id=23130 RPMS Affected #################################### lib64leptonica5-1.76.0-1.mga6.x86_64.rpm lib64leptonica-devel-1.76.0-1.mga6.x86_64.rpm leptonica-debuginfo-1.76.0-1.mga6.x86_64.rpm libleptonica5-1.76.0-1.mga6.i586.rpm libleptonica-devel-1.76.0-1.mga6.i586.rpm leptonica-debuginfo-1.76.0-1.mga6.i586.rpm From leptonica-1.76.0-1.mga7.src.rpm Testing #################################### Install tesseract which will pull in the current leptonica. Create a folder called ocrtest and download https://bugs.mageia.org/attachment.cgi?id=10001 into it and extract the file (test.tiff). cd ocrtest tesseract test.tiff output Check that output.txt is correct and delete it. Update lib(64)leptonica5 from updates_testing and repeat the above. Regarding mingw-leptonica, simply check that it installs.
Assignee: zen25000 => qa-bugs
Whiteboard: MGA6TOO => (none)CC: (none) => zen25000Version: Cauldron => 6
Mageia 6, x86_64 $ urpmq --fuzzy -r leptonica lib64leptonica-devel-1.75.3-1.mga6 lib64leptonica5-1.75.3-1.mga6 libleptonica-devel-1.75.3-1.mga6 libleptonica5-1.75.3-1.mga6 mingw32-leptonica-1.75.3-1.mga6 mingw32-leptonica-static-1.75.3-1.mga6 mingw64-leptonica-1.75.3-1.mga6 mingw64-leptonica-static-1.75.3-1.mga6 $ unxz test.tiff.xz $ display test.tiff & $ tesseract test.tiff output Tesseract Open Source OCR Engine v3.04.01 with Leptonica Page 1 Checked output.txt against the image displayed. All correct. Updated leptonica (without debug testing repositories enabled) and ran the test again. $ rpm -qa | grep leptonica lib64leptonica5-1.76.0-1.mga6 lib64leptonica-devel-1.76.0-1.mga6 The output text was correct. $ diff output.txt before.txt $ Installed mingw64-leptonica (18 packages) then updated it from testing. Clean install of mingw64-leptonica-1.76.0-1.mga6.noarch.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisoried
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0279.html
Status: NEW => RESOLVEDResolution: (none) => FIXED