SB2018121918 - Fedora 29 update for leptonica, mingw-leptonica
Published: December 19, 2018 Updated: April 24, 2025
Security Bulletin ID
SB2018121918
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2018-7442)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote unauthenticated attacker to conduct path traversal attack on the target system.
The weakness exists in the gplotMakeOutput function due to insufficient validation of characters used in the gplot rootname argument. A remote attacker can trigger path traversal and gain access to potentially sensitive information.
2) Race condition (CVE-ID: CVE-2018-7441)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to overwrite arbitrary files on the target system.
The weakness exists due to hardcoded /tmp pathnames. A local attacker can create a file in advance, trigger race condition and overwrite arbitrary files.
Remediation
Install update from vendor's website.