Fedora has issued an advisory on August 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PG4MCYIFDHYLJGKJFKDL3GEYN52V5EOM/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
New vesion pushed on updates_testing: src.rpm: potrace-1.15-1.mga6 potrace-1.15-1.mga5 advisory took from fedora: This release consists of bugfixes and minor portability improvements. Some potential buffer overflows and arithmetic overflows were fixed, including CVE-2017-12067. A bug triggered by very large bitmaps has been fixed.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCVE: (none) => CVE-2017-12067Assignee: nicolas.salguero => qa-bugsCC: (none) => mageiaVersion: Cauldron => 6
Advisory: ======================== Updated potrace packages fix security vulnerability: Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubic function in mkbitmap.c (CVE-2017-12067). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12067 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PG4MCYIFDHYLJGKJFKDL3GEYN52V5EOM/ ======================== Updated packages in core/updates_testing: ======================== potrace-1.15-1.mga5 libpotrace0-1.15-1.mga5 libpotrace-devel-1.15-1.mga5 potrace-1.15-1.mga6 libpotrace0-1.15-1.mga6 libpotrace-devel-1.15-1.mga6 from SRPMS: potrace-1.15-1.mga5.src.rpm potrace-1.15-1.mga6.src.rpm
Installed and tested without issue. Tested on several images, some with over 60 MPixels. $ uname -a Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep potrace lib64potrace0-1.15-1.mga5 potrace-1.15-1.mga5
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => lewyssmithWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK advisory
mga6 x86_64 There is a PoC image available for CVE-2017-12067 at https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap. This is meant to be run within the ASAN testing framework so we should not expect too much from it. $ file poc poc: PC bitmap, Windows 3.x format, 0 x 32 x 4 It does not display with ImageMagick. $ identify poc identify: negative or zero image size `poc' @ error/bmp.c/ReadBMPImage/833. $ ls -l poc -rw-r--r-- 1 lcl lcl 630 Aug 18 21:32 poc $ hexdump poc 0000000 4d42 0276 0000 0000 0000 0076 0000 0028 0000010 0000 0000 0000 0020 0000 0001 0004 0000 ............................. Updated the packages. $ potrace -s -o poc.svg poc $ ls -l poc.svg -rw-r--r-- 1 lcl lcl 514 Aug 18 23:06 poc.svg $ file poc.svg poc.svg: SVG Scalable Vector Graphics image $ display poc.svg This succeeds in displaying a vertical white bar which is likely to be 32 pixels high. So the PoC tells us nothing really except that we do not have the resources to test it properly. The results are identical to the test carried out before the upgrade. Some conversions: $ potrace -b pdf -o lena.pdf lena-orig.ppm $ xpdf lena.pdf # black and white image on page 1 $ potrace -e -o teapot.ps teapot.ppm $ gs teapot.ps This displays in black and white, effectively just the highlights in the original image (red teapot on uniform grey background), exactly what it is advertised to do. I tried others - no surprises. Good for 64-bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-64-OK advisory => MGA5TOO MGA5-64-OK advisory MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0280.html
Status: NEW => RESOLVEDResolution: (none) => FIXED