| Summary: | potrace new security issues CVE-2016-868[56], CVE-2016-869[4-9], CVE-2016-870[0-3], and CVE-2017-7263 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, cazzaniga.sandro, davidwhodgins, geiger.david68210, mageia, marja11, nicolas.salguero, sysadmin-bugs, thierry.vignaud |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/704700/ | ||
| Whiteboard: | mga5-32-ok mga5-64-ok advisory | ||
| Source RPM: | potrace-1.13-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-10-16 22:40:37 CEST
David Walser
2016-10-16 22:40:45 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
cazzaniga.sandro, geiger.david68210, mageia, marja11, thierry.vignaud Debian-LTS has issued an advisory on October 26: http://lwn.net/Alerts/704665/ It fixes some of the issues. URL:
(none) =>
http://lwn.net/Vulnerabilities/704700/ According to the Gentoo blog links found in http://openwall.com/lists/oss-security/2016/10/16/12, CVE-2016-869[4-9] and CVE-2016-870[0-3] are already fixed by version 1.13. I have added an upstream patch for CVE-2016-8685 in Cauldron and Mageia 5 (but only pushed a build for Cauldron). Only CVE-2016-8686 remains unsolved so far. CC:
(none) =>
nicolas.salguero Indeed, a link to the CVE-2016-8685 patch (which is also fixed in 1.14): http://openwall.com/lists/oss-security/2017/02/27/1 According to their website: http://potrace.sourceforge.net/ CVE-2016-8686 is also fixed in 1.14. Version 1.14 is committed to SVN. I pushed a build for Mga5 updates_testing and asked for a freeze push. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image. (CVE-2016-8685) The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. (CVE-2016-8686) References: http://openwall.com/lists/oss-security/2016/10/16/9 http://openwall.com/lists/oss-security/2016/10/16/10 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686 ======================== Updated packages in core/updates_testing: ======================== potrace-1.14-1.mga5 lib(64)potrace0-1.14-1.mga5 lib(64)potrace-devel-1.14-1.mga5 from SRPMS: potrace-1.14-1.mga5.src.rpm Status:
NEW =>
ASSIGNED According to http://openwall.com/lists/oss-security/2017/03/03/1, CVE-2016-8698 was not really fixed. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image. (CVE-2016-8685) The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. (CVE-2016-8686) Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image. (CVE-2016-8698) References: http://openwall.com/lists/oss-security/2016/10/16/9 http://openwall.com/lists/oss-security/2016/10/16/10 http://openwall.com/lists/oss-security/2017/03/03/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8698 ======================== Updated packages in core/updates_testing: ======================== potrace-1.14-1.1.mga5 lib(64)potrace0-1.14-1.1.mga5 lib(64)potrace-devel-1.14-1.1.mga5 from SRPMS: potrace-1.14-1.1.mga5.src.rpm $ potrace --help potrace 1.14. Transforms bitmaps into vector graphics. $ potrace bitmap.bmp [brian@localhost Documents]$ ls -ltr total 2544 -rw-rw-r-- 1 brian brian 8885 Mar 4 20:46 bitmap.bmp.odg -rw-rw-r-- 1 brian brian 2585142 Mar 4 20:47 bitmap.bmp -rw-r--r-- 1 brian brian 2525 Mar 4 20:49 bitmap.eps eps file was crated. I verified it in fact converted the bmp to a vector graphic. CC:
(none) =>
brtians1 The following 2 packages are going to be installed: - lib64potrace0-1.14-1.1.mga5.x86_64 - potrace-1.14-1.1.mga5.x86_64 246KB of additional disk space will be used. 116KB of packages will be retrieved. Is it ok to continue? $ potrace --version potrace 1.14. Copyright (C) 2001-2017 Peter Selinger. Library version: potracelib 1.14 Default unit: inches Default page size: letter $ ls bitmap2.bmp $ potrace bitmap2.bmp [brian@localhost Documents]$ ls bitmap2.bmp bitmap2.eps the vector is created and is viewable. Whiteboard:
mga5-32-ok =>
mga5-32-ok mga5-64-ok Advisory added to svn. Validating Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0073.html Status:
ASSIGNED =>
RESOLVED The incomplete fix for CVE-2016-8698 addressed by Nicolas in Comment 7 was assigned CVE-2017-7263: http://openwall.com/lists/oss-security/2017/03/26/2 Summary:
potrace new security issues CVE-2016-868[56], CVE-2016-869[4-9], and CVE-2016-870[0-3] =>
potrace new security issues CVE-2016-868[56], CVE-2016-869[4-9], CVE-2016-870[0-3], and CVE-2017-7263 *** Bug 20573 has been marked as a duplicate of this bug. *** |