CVE-2020-36279 – This CVE describes a heap-based buffer over-rea... (How to Fix)

Q: What is the severity of CVE-2020-36279?

CVE-2020-36279 has a CVSS score of 7.5 (HIGH). This CVE describes a heap-based buffer over-read vulnerability in Leptonica image processing library versions before 1.80.0. The flaw in rasteropGeneralLow function allows attackers to read memory beyond allocated buffers, potentially exposing sensitive information. Any application using vulnerable Leptonica versions for image processing is affected.

📋 TL;DR

This CVE describes a heap-based buffer over-read vulnerability in Leptonica image processing library versions before 1.80.0. The flaw in rasteropGeneralLow function allows attackers to read memory beyond allocated buffers, potentially exposing sensitive information. Any application using vulnerable Leptonica versions for image processing is affected.

💻 Affected Systems

Products:

Leptonica
Applications using Leptonica library (e.g., Tesseract OCR, various image processing tools)

Versions: All versions before 1.80.0

Operating Systems: Linux, Windows, macOS, BSD - any OS running Leptonica

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing specific image formats through affected functions in adaptmap_reg.c and adaptmap.c.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to memory content leakage, potentially exposing sensitive data like passwords, keys, or application memory structures.

🟠

Likely Case

Application crash (denial of service) when processing maliciously crafted images, potentially causing service disruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though memory corruption risks remain.

🌐 Internet-Facing: MEDIUM - Applications accepting user-uploaded images could be exploited remotely, but requires specific image processing workflows.

🏢 Internal Only: LOW - Typically requires local access or specific image processing operations to trigger.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept exists in OSS-Fuzz issue #22512. Exploitation requires crafting malicious images that trigger the buffer over-read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.80.0

Vendor Advisory: https://github.com/DanBloomberg/leptonica/commit/3c18c43b6a3f753f0dfff99610d46ad46b8bfac4

Restart Required: Yes

Instructions:

1. Update Leptonica to version 1.80.0 or later. 2. Recompile any applications using Leptonica. 3. Restart affected services. 4. For packaged distributions, use system package manager: 'apt update && apt upgrade leptonica-dev' (Debian/Ubuntu) or 'yum update leptonica' (RHEL/CentOS).

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of image inputs before processing with Leptonica functions

Sandbox Image Processing

linux

Run Leptonica-based image processing in isolated containers or sandboxes with limited permissions

docker run --read-only --cap-drop=ALL -v /tmp:/tmp:ro your-image-processor

🧯 If You Can't Patch

Implement network-level restrictions to limit image uploads to trusted sources only
Deploy application-level monitoring for crashes in image processing components

🔍 How to Verify

Check if Vulnerable:

Check Leptonica version: 'pkg-config --modversion leptonica' or check library files for version < 1.80.0

Check Version:

pkg-config --modversion leptonica || leptonica-version || grep 'LEPTONICA_VERSION' /usr/include/leptonica/allheaders.h

Verify Fix Applied:

Confirm version is 1.80.0 or later: 'pkg-config --modversion leptonica' should return >= 1.80.0

📡 Detection & Monitoring

Log Indicators:

Application crashes during image processing
Memory access violation errors
Segmentation faults in Leptonica-related processes

Network Indicators:

Unusual image upload patterns
Multiple failed image processing requests

SIEM Query:

process_name:"your-app" AND (event_type:crash OR error_message:"segmentation fault" OR error_message:"buffer over-read")

📊 Metadata

CVE ID: CVE-2020-36279

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: March 12, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22512 Exploit,Issue Tracking,Third Party Advisory
https://github.com/DanBloomberg/leptonica/commit/3c18c43b6a3f753f0dfff99610d46ad46b8bfac4 Patch,Third Party Advisory
https://github.com/DanBloomberg/leptonica/compare/1.79.0...1.80.0 Patch,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00037.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQUEA2X6UTH4DMYCMZAWE2QQLN5YANUA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RD5AIWHWE334HGYZJR2U3I3JYKSSO2LW/
https://security.gentoo.org/glsa/202107-53 Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22512 Exploit,Issue Tracking,Third Party Advisory
https://github.com/DanBloomberg/leptonica/commit/3c18c43b6a3f753f0dfff99610d46ad46b8bfac4 Patch,Third Party Advisory
https://github.com/DanBloomberg/leptonica/compare/1.79.0...1.80.0 Patch,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00037.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQUEA2X6UTH4DMYCMZAWE2QQLN5YANUA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RD5AIWHWE334HGYZJR2U3I3JYKSSO2LW/
https://security.gentoo.org/glsa/202107-53 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36279, you might also want to check these: