Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.
Leptonica 1.74.4 construye nombres de ruta no planeados (que contienen componentes de ruta duplicados) al operar en archivos en subdirectorios /tmp. Esto podría permitir que usuarios locales omitan las restricciones de archivo planeadas aprovechando el acceso a un directorio situado en el árbol de directorio /tmp, tal y como demuestra /tmp/ANY/PATH/ANY/PATH/input.tif.
Several vulnerabilities have been found in Leptonice, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.81.0 are affected.
