Description: CVE-2018-7440
 An issue was discovered in Leptonica through 1.75.3. The
 gplotMakeOutput function allows command injection via a $(command)
 approach in the gplot rootname argument. This issue exists because of
 an incomplete fix for CVE-2018-3836.

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: upstream https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
Bug: unknown
Bug-Debian: https://bugs.debian.org/891932
Reviewed-By: Jeff Breidenbach <jab@debian.org>, Dan Bloomberg
Last-Update: 2018-03-02

--- leptonlib-1.75.3.orig/src/gplot.c
+++ leptonlib-1.75.3/src/gplot.c
@@ -153,7 +153,7 @@ GPLOT   *gplot;
     if (outformat != GPLOT_PNG && outformat != GPLOT_PS &&
         outformat != GPLOT_EPS && outformat != GPLOT_LATEX)
         return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
-    stringCheckForChars(rootname, "`;&|><\"?*", &badchar);
+    stringCheckForChars(rootname, "`;&|><\"?*$()", &badchar);
     if (badchar)  /* danger of command injection */
         return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
 
