An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
Created leptonica tracking bugs for this issue: Affects: epel-all [bug 1542007] Affects: fedora-all [bug 1542008] Created mingw-leptonica tracking bugs for this issue: Affects: fedora-all [bug 1542009]