Bug 20573

Summary: potrace new security issue CVE-2017-7263
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, mhrambo3501
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO
Source RPM: potrace-1.14-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-26 16:59:00 CEST 
A CVE has been assigned for a security issue fixed in potrace 1.15:
http://openwall.com/lists/oss-security/2017/03/03/1

The commit that fixed it is linked from:
https://blogs.gentoo.org/ago/2017/03/03/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698/
David Walser 2017-03-26 17:00:59 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-27 08:30:11 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2017-04-01 20:19:13 CEST 
The patch linked above is identical to the patch for CVE-2016-8698 that is already in both cauldron and mga5. Moveover, I don't see any sign of 1.15 on either the author's website or his sourceforge location. I don't see anything to do unless we want/need to rename the patch to account for the new CVE number for some reason.

CC: (none) => mrambo

Comment 3 David Walser 2017-04-01 20:30:14 CEST 
Thanks.

*** This bug has been marked as a duplicate of bug 19604 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE