SB2018050721 - Fedora 28 update for leptonica

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018050721

SB2018050721 - Fedora 28 update for leptonica

Published: May 7, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018050721
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Command injection (CVE-ID: CVE-2018-7440)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in the gplotMakeOutput function due to insufficient validation of commands used in the gplot rootname argument. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

2) Command injection (CVE-ID: CVE-2018-3836)

The vulnerability allows a remote attacker to inject arbitrary commands.

The weakness exists in the gplotMakeOutput function due to insufficient validation of user-supplied input. A local attacker can submit a specially crafted gplot rootname argument, inject arbitrary commands and execute arbitrary code with system or root privileges.

Successful exploitation of the vulnerabiiity may result in system compromise.

3) Path traversal (CVE-ID: CVE-2018-7442)

The vulnerability allows a remote unauthenticated attacker to conduct path traversal attack on the target system.

The weakness exists in the gplotMakeOutput function due to insufficient validation of characters used in the gplot rootname argument. A remote attacker can trigger path traversal and gain access to potentially sensitive information.

Remediation

Install update from vendor's website.

References