http://bugzilla.opensuse.org/show_bug.cgi?id=1079358 Bug ID: 1079358 Summary: VUL-1: CVE-2018-3836 leptonica: gplotMakeOutput command injection Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/199482/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: lazy.kent@opensuse.org Reporter: kbabioch@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- rh#1542005 An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 References: https://bugzilla.redhat.com/show_bug.cgi?id=1542005 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3836 -- You are receiving this mail because: You are on the CC list for the bug.