Bug 21515 - potrace new security issue CVE-2017-12067
Summary: potrace new security issue CVE-2017-12067
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK advisory MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-13 15:59 CEST by David Walser
Modified: 2017-08-19 11:23 CEST (History)
5 users (show)

See Also:
Source RPM: potrace-1.14-1.1.mga5.src.rpm
CVE: CVE-2017-12067
Status comment:


Attachments

Description David Walser 2017-08-13 15:59:32 CEST
Fedora has issued an advisory on August 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PG4MCYIFDHYLJGKJFKDL3GEYN52V5EOM/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-13 15:59:43 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-08-13 17:20:41 CEST
New vesion pushed on updates_testing:

src.rpm:
        potrace-1.15-1.mga6
        potrace-1.15-1.mga5

advisory took from fedora:

This release consists of bugfixes and minor portability improvements. Some
potential buffer overflows and arithmetic overflows were fixed, including
CVE-2017-12067. A bug triggered by very large bitmaps has been fixed.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CVE: (none) => CVE-2017-12067
Assignee: nicolas.salguero => qa-bugs
CC: (none) => mageia
Version: Cauldron => 6

Comment 2 David Walser 2017-08-13 19:41:21 CEST
Advisory:
========================

Updated potrace packages fix security vulnerability:

Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubic
function in mkbitmap.c (CVE-2017-12067).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12067
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PG4MCYIFDHYLJGKJFKDL3GEYN52V5EOM/
========================

Updated packages in core/updates_testing:
========================
potrace-1.15-1.mga5
libpotrace0-1.15-1.mga5
libpotrace-devel-1.15-1.mga5
potrace-1.15-1.mga6
libpotrace0-1.15-1.mga6
libpotrace-devel-1.15-1.mga6

from SRPMS:
potrace-1.15-1.mga5.src.rpm
potrace-1.15-1.mga6.src.rpm
Comment 3 PC LX 2017-08-13 19:54:38 CEST
Installed and tested without issue. Tested on several images, some with over 60 MPixels.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep potrace
lib64potrace0-1.15-1.mga5
potrace-1.15-1.mga5

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Lewis Smith 2017-08-13 20:33:09 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory

Comment 4 Len Lawrence 2017-08-18 23:42:06 CEST
mga6  x86_64

There is a PoC image available for CVE-2017-12067 at https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap.  This is meant to be run within the ASAN testing framework so we should not expect too much from it.
$ file poc
poc: PC bitmap, Windows 3.x format, 0 x 32 x 4

It does not display with ImageMagick.
$ identify poc
identify: negative or zero image size `poc' @ error/bmp.c/ReadBMPImage/833.
$ ls -l poc
-rw-r--r-- 1 lcl lcl 630 Aug 18 21:32 poc
$ hexdump poc
0000000 4d42 0276 0000 0000 0000 0076 0000 0028
0000010 0000 0000 0000 0020 0000 0001 0004 0000
.............................

Updated the packages.
$ potrace -s -o poc.svg poc
$ ls -l poc.svg
-rw-r--r-- 1 lcl lcl 514 Aug 18 23:06 poc.svg
$ file poc.svg
poc.svg: SVG Scalable Vector Graphics image
$ display poc.svg
This succeeds in displaying a vertical white bar which is likely to be 32 pixels high.  So the PoC tells us nothing really except that we do not have the resources to test it properly.  The results are identical to the test carried out before the upgrade.

Some conversions:
$ potrace -b pdf -o lena.pdf lena-orig.ppm
$ xpdf lena.pdf      # black and white image on page 1 
$ potrace -e -o teapot.ps teapot.ppm
$ gs teapot.ps
This displays in black and white, effectively just the highlights in the original image (red teapot on uniform grey background), exactly what it is advertised to do.
I tried others - no surprises.
Good for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-08-18 23:44:55 CEST

Whiteboard: MGA5TOO MGA5-64-OK advisory => MGA5TOO MGA5-64-OK advisory MGA6-64-OK

Len Lawrence 2017-08-18 23:45:54 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-08-19 11:23:09 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0280.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.