CVE has been assigned for several security issues in potrace: http://openwall.com/lists/oss-security/2016/10/16/9 http://openwall.com/lists/oss-security/2016/10/16/10 http://openwall.com/lists/oss-security/2016/10/16/12
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => cazzaniga.sandro, geiger.david68210, mageia, marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
Debian-LTS has issued an advisory on October 26: http://lwn.net/Alerts/704665/ It fixes some of the issues.
URL: (none) => http://lwn.net/Vulnerabilities/704700/
According to the Gentoo blog links found in http://openwall.com/lists/oss-security/2016/10/16/12, CVE-2016-869[4-9] and CVE-2016-870[0-3] are already fixed by version 1.13. I have added an upstream patch for CVE-2016-8685 in Cauldron and Mageia 5 (but only pushed a build for Cauldron). Only CVE-2016-8686 remains unsolved so far.
CC: (none) => nicolas.salguero
Indeed, a link to the CVE-2016-8685 patch (which is also fixed in 1.14): http://openwall.com/lists/oss-security/2017/02/27/1 According to their website: http://potrace.sourceforge.net/ CVE-2016-8686 is also fixed in 1.14.
Version 1.14 is committed to SVN. I pushed a build for Mga5 updates_testing and asked for a freeze push.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image. (CVE-2016-8685) The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. (CVE-2016-8686) References: http://openwall.com/lists/oss-security/2016/10/16/9 http://openwall.com/lists/oss-security/2016/10/16/10 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686 ======================== Updated packages in core/updates_testing: ======================== potrace-1.14-1.mga5 lib(64)potrace0-1.14-1.mga5 lib(64)potrace-devel-1.14-1.mga5 from SRPMS: potrace-1.14-1.mga5.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
According to http://openwall.com/lists/oss-security/2017/03/03/1, CVE-2016-8698 was not really fixed. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image. (CVE-2016-8685) The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. (CVE-2016-8686) Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image. (CVE-2016-8698) References: http://openwall.com/lists/oss-security/2016/10/16/9 http://openwall.com/lists/oss-security/2016/10/16/10 http://openwall.com/lists/oss-security/2017/03/03/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8698 ======================== Updated packages in core/updates_testing: ======================== potrace-1.14-1.1.mga5 lib(64)potrace0-1.14-1.1.mga5 lib(64)potrace-devel-1.14-1.1.mga5 from SRPMS: potrace-1.14-1.1.mga5.src.rpm
$ potrace --help potrace 1.14. Transforms bitmaps into vector graphics. $ potrace bitmap.bmp [brian@localhost Documents]$ ls -ltr total 2544 -rw-rw-r-- 1 brian brian 8885 Mar 4 20:46 bitmap.bmp.odg -rw-rw-r-- 1 brian brian 2585142 Mar 4 20:47 bitmap.bmp -rw-r--r-- 1 brian brian 2525 Mar 4 20:49 bitmap.eps eps file was crated. I verified it in fact converted the bmp to a vector graphic.
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
The following 2 packages are going to be installed: - lib64potrace0-1.14-1.1.mga5.x86_64 - potrace-1.14-1.1.mga5.x86_64 246KB of additional disk space will be used. 116KB of packages will be retrieved. Is it ok to continue? $ potrace --version potrace 1.14. Copyright (C) 2001-2017 Peter Selinger. Library version: potracelib 1.14 Default unit: inches Default page size: letter $ ls bitmap2.bmp $ potrace bitmap2.bmp [brian@localhost Documents]$ ls bitmap2.bmp bitmap2.eps the vector is created and is viewable.
Whiteboard: mga5-32-ok => mga5-32-ok mga5-64-ok
Advisory added to svn. Validating
Keywords: (none) => validated_updateWhiteboard: mga5-32-ok mga5-64-ok => mga5-32-ok mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0073.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
The incomplete fix for CVE-2016-8698 addressed by Nicolas in Comment 7 was assigned CVE-2017-7263: http://openwall.com/lists/oss-security/2017/03/26/2
Summary: potrace new security issues CVE-2016-868[56], CVE-2016-869[4-9], and CVE-2016-870[0-3] => potrace new security issues CVE-2016-868[56], CVE-2016-869[4-9], CVE-2016-870[0-3], and CVE-2017-7263
*** Bug 20573 has been marked as a duplicate of this bug. ***