1.77.0:
Here is the current status of CVE issues with leptonica; see
https://security-tracker.debian.org/tracker/source-package/leptonlib
* CVE-2018-7442: potential injection attack because '/' is allowed
in gplot rootdir.
Functions using this command have been disabled by default in the
distribution, starting with 1.76.0. As for the specific issue, it
is impossible to specify a general path without using the standard
directory subdivider '/'.
* CVE-2018-7186: number of characters not limited in fscanf or sscanf,
allowing possible attack with buffer overflow.
This has been fixed in 1.75.3.
* CVE-2018-3836: command injection vulnerability in gplotMakeOutput().
This has been fixed in 1.75.3, using stringCheckForChars() to block
rootnames containing any of: ;&|>"?*$()/<
* CVE-2017-18196: duplicated path components.
This was fixed in 1.75.3.
* CVE-2018-7441: hardcoded /tmp pathnames.
These are all wrapped in special debug functions that are not
enabled by default in the distribution, starting with 1.76.0.
* CVE-2018-7247: input 'rootname' can overflow a buffer.
This was fixed in 1.76.0, using snprintf().
* CVE-2018-7440: command injection in gplotMakeOutput using $(command).
Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
Wrapped the few 'system' calls in an extra layer of debug code.
More coverity scan fixes; defects are about 1 per 10,000 source lines.
New regression tests: numa1_reg, numa2_reg, lowaccess_reg,
pixmem_reg.
New non-regression test programs: histoduptest
Juergen Buchmueller is working on Lua bindings. He typedef'd l_ok
and used it in 1100 functions that return a success/failure status.
He also helped clean up remaining issues in the doxygen-generated
documentation.
Using a packed struct for bmp headers to avoid crash on
some big-endians.
Fixed a bug in the prototype parser for xtractprotos that was
surfaced by a typedef declaration for the bmp headers.
Cleaned up IOS guards to avoid compiling a system(3) call on IOS.
Renamed autobuild --> autogen.sh
Added some basic pixa functions for rotation and translation.
Added an iterative method to find rectangular coverings for
arbitrary connected components.
Converted two tests to reg tests running in alltests_reg:
ptra1_reg, ptra2_reg
Enabled read/write for standard jpeg compressed tiff images.
Enabled reading for the old (deprecated) jpeg-encoded tiffs.
Fix range selectors for pixa, pixaa, boxa, boxaa, pta:
Now, last = -1 goes to the end.
When reading tiff --> pix, insert IMAGEDESCRIPTION into text field.
Converted iotest to reg test iomisc_reg; added to alltests_reg
Converted rasterop_reg into a standard regression test; added
to alltests_reg.
Converted boxa2_reg and fhmtauto_reg into standard regression tests;
added to alltests_reg.
Split boxa sequence functions out of boxfunc4.c, into a new boxfunc5.c.
Simplified bmp header and made reading more clearly endian
agnostic (Juergen Buchmueller)
New boxa3_reg regression test. This tests sequences of boxes
by two new boxfunctions in boxfunc5.c.
New bootnumgen4.c for more digit templates.
Rename prog/recog_bootnum.c --> prog/recog_bootname1.c
New in prog: recog_bootnum2.c, recog_bootnum3.c, recogtest7.c
Fixed uninitialized data in pixCentroid() on 1 bpp pix.
New reg test: bytea_reg.c. (removed byteatest.c)
Fixed bug in non-transcoding pdf generation from 1 bpp png.
Added LGTM to static analyzers that run over the library.
976e08ad2c