SB2018050721 - Fedora 28 update for leptonica

Description

This security bulletin contains information about 3 vulnerabilities.

1) Command injection (CVE-ID: CVE-2018-7440)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in the gplotMakeOutput function due to insufficient validation of commands used in the gplot rootname argument. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

2) Command injection (CVE-ID: CVE-2018-3836)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to inject arbitrary commands.

The weakness exists in the gplotMakeOutput function due to insufficient validation of user-supplied input. A local attacker can submit a specially crafted gplot rootname argument, inject arbitrary commands and execute arbitrary code with system or root privileges.

Successful exploitation of the vulnerabiiity may result in system compromise.

3) Path traversal (CVE-ID: CVE-2018-7442)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote unauthenticated attacker to conduct path traversal attack on the target system.

The weakness exists in the gplotMakeOutput function due to insufficient validation of characters used in the gplot rootname argument. A remote attacker can trigger path traversal and gain access to potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2018-c6e8b5f529