Your submission was sent successfully! Close


Published: 23 February 2018

Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.

From the Ubuntu security team

It was discovered that Leptonica incorrectly handled path names. An attacker could possibly use this issue to obtain sensitive information.



CVSS 3 base score: 3.3


Package Release Status
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
cosmic Not vulnerable
disco Not vulnerable
eoan Not vulnerable
focal Not vulnerable
groovy Not vulnerable
hirsute Not vulnerable
impish Not vulnerable
jammy Not vulnerable
precise Does not exist

trusty Not vulnerable
(code not present)
Released (1.74.4-2)
xenial Ignored
(end of standard support, was needed)