An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an incomplete fix for CVE-2018-3836.
{ "binaries": [ { "binary_name": "leptonica-progs", "binary_version": "1.75.3-3" }, { "binary_name": "leptonica-progs-dbgsym", "binary_version": "1.75.3-3" }, { "binary_name": "liblept5", "binary_version": "1.75.3-3" }, { "binary_name": "liblept5-dbgsym", "binary_version": "1.75.3-3" }, { "binary_name": "libleptonica-dev", "binary_version": "1.75.3-3" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }