Candidate: CVE-2018-3836
PublicDate: 2018-04-24 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3836
 https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
Description:
 An exploitable command injection vulnerability exists in the
 gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot
 rootname argument can cause a command injection resulting in arbitrary code
 execution. An attacker can provide a malicious path as input to an
 application that passes attacker data to this function to trigger this
 vulnerability.
Ubuntu-Description:
 It was discovered that Leptonica incorrectly handled certain input arguments.
 An attacker could possibly use this issue to execute arbitrary commands.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_leptonlib:
upstream_leptonlib: needs-triage
precise/esm_leptonlib: DNE
trusty_leptonlib: ignored (out of standard support)
trusty/esm_leptonlib: needed
xenial_leptonlib: ignored (end of standard support, was needed)
artful_leptonlib: ignored (reached end-of-life)
bionic_leptonlib: not-affected (1.75.3-2)
cosmic_leptonlib: not-affected (1.75.3-2)
disco_leptonlib: not-affected (1.75.3-2)
eoan_leptonlib: not-affected (1.75.3-2)
focal_leptonlib: not-affected (1.75.3-2)
groovy_leptonlib: not-affected (1.75.3-2)
hirsute_leptonlib: not-affected (1.75.3-2)
impish_leptonlib: not-affected (1.75.3-2)
jammy_leptonlib: not-affected (1.75.3-2)
devel_leptonlib: not-affected (1.75.3-2)