Candidate: CVE-2018-7440
PublicDate: 2018-02-23 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7440
 https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212
 https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
Description:
 An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput
 function allows command injection via a $(command) approach in the gplot
 rootname argument. This issue exists because of an incomplete fix for
 CVE-2018-3836.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_leptonlib:
upstream_leptonlib: needs-triage
precise/esm_leptonlib: DNE
trusty_leptonlib: ignored (out of standard support)
trusty/esm_leptonlib: needs-triage
xenial_leptonlib: ignored (end of standard support, was needs-triage)
artful_leptonlib: ignored (reached end-of-life)
bionic_leptonlib: released (1.75.3-3)
cosmic_leptonlib: not-affected (1.75.3-3)
disco_leptonlib: not-affected (1.75.3-3)
eoan_leptonlib: not-affected (1.75.3-3)
focal_leptonlib: not-affected (1.75.3-3)
groovy_leptonlib: not-affected (1.75.3-3)
hirsute_leptonlib: not-affected (1.75.3-3)
impish_leptonlib: not-affected (1.75.3-3)
jammy_leptonlib: not-affected (1.75.3-3)
devel_leptonlib: not-affected (1.75.3-3)