Bug 31266 - leptonica new security issue CVE-2022-38266
Summary: leptonica new security issue CVE-2022-38266
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-12 16:33 CET by David Walser
Modified: 2022-12-17 19:49 CET (History)
5 users (show)

See Also:
Source RPM: leptonica-1.80.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-12-12 16:33:12 CET 
Debian-LTS has issued an advisory on December 8:
https://www.debian.org/lts/security/2022/dla-3233

The issue is fixed upstream in 1.81.0.
David Walser 2022-12-12 16:33:20 CET

Status comment: (none) => Fixed upstream in 1.81.0

Comment 1 Barry Jackson 2022-12-12 17:19:42 CET 
Thanks David.
Comment 2 Barry Jackson 2022-12-12 19:55:18 CET 
Packages:
leptonica-1.81.0
mingw-leptonica-1.81.0

have been submitted to 8/updates_testing

##########################
Advisory:

This update fixes a denial of service vulnerability in leptonlib.
It can be made to crash with an arithmetic exception on specially crafted JPEG files.
Reported in CVE-2022-38266.

##########################
References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38266
https://bugs.mageia.org/show_bug.cgi?id=31266
https://www.debian.org/lts/security/2022/dla-3233

##########################
Affected files:

lib64leptonica-devel-1.81.0-1.mga8.x86_64.rpm
lib64leptonica5-1.81.0-1.mga8.x86_64.rpm
lib64leptonica5-debuginfo-1.81.0-1.mga8.x86_64.rpm
leptonica-debugsource-1.81.0-1.mga8.x86_64.rpm

libleptonica-devel-1.81.0-1.mga8.i586.rpm
libleptonica5-1.81.0-1.mga8.i586.rpm
libleptonica5-debuginfo-1.81.0-1.mga8.i586.rpm
leptonica-debugsource-1.81.0-1.mga8.i586.rpm

mingw32-leptonica-debuginfo-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-debuginfo-1.81.0-1.mga8.noarch.rpm
mingw32-leptonica-static-1.81.0-1.mga8.noarch.rpm
mingw32-leptonica-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-1.81.0-1.mga8.noarch.rpm
mingw64-leptonica-static-1.81.0-1.mga8.noarch.rpm

From:
leptonica-1.81.0-1.mga8.src.rpm
mingw-leptonica-1.81.0-1.mga8.src.rpm

Assignee: zen25000 => qa-bugs

David Walser 2022-12-12 21:30:42 CET

CC: (none) => zen25000
Status comment: Fixed upstream in 1.81.0 => (none)

Comment 3 David Walser 2022-12-13 01:09:16 CET 
mingw64-leptonica-1.81.0-1.mga8
mingw32-leptonica-1.81.0-1.mga8
mingw32-leptonica-static-1.81.0-1.mga8
mingw64-leptonica-static-1.81.0-1.mga8
libleptonica-devel-1.81.0-1.mga8
libleptonica5-1.81.0-1.mga8

from SRPMS:
leptonica-1.81.0-1.mga8.src.rpm
mingw-leptonica-1.81.0-1.mga8.src.rpm
Comment 4 Herman Viaene 2022-12-16 15:08:51 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues, just taking the 64-versions and omitting the debug packages.
Ref. bug 28994 Comment 4, using Len's test file
$ tesseract test.tiff test1 --psm 4
Tesseract Open Source OCR Engine v4.1.1 with Leptonica
Page 1
and getting the same result with the same remark on alignment
So OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2022-12-16 19:53:00 CET 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-17 18:25:34 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-12-17 19:49:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0472.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.