Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564874 - <media-gfx/potrace-1.13: multiple vulnerabilities
Summary: <media-gfx/potrace-1.13: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-04 14:24 UTC by Agostino Sarubbo
Modified: 2016-11-27 10:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-11-04 14:24:38 UTC 
Upstream 1.13 fixes multiple buffer overflow + multiple null pointer dereference + a divide by zero which I reported time ago.

Upstream announcement:
October 22, 2015: Release 1.13. Some critical bugs in the processing of BMP files were fixed. These bugs allowed the program to be crashed, or potentially to be abused in other ways, by feeding it specially crafted BMP files. Thanks to Tomasz Buchert and Agostino Sarubbo for reporting these bugs. Portability was improved for C99 and for MSVC++. Thanks to Peter Breitenlohner, Nelson Beebe, and Martin Gieseking for reporting portability issues.
Comment 1 Agostino Sarubbo gentoo-dev 2016-08-11 09:36:07 UTC 
Arches, please test and mark stable:
=media-gfx/potrace-1.13                                                                                                                                                                        
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2016-08-11 09:36:56 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-08-11 09:37:22 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-14 09:24:02 UTC 
Stable for HPPA PPC64.
Comment 5 Markus Meier gentoo-dev 2016-08-18 19:31:38 UTC 
arm stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-02 19:21:52 UTC 
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:35:59 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 12:36:45 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:29:22 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 11:52:58 UTC 
As the previous potrace bug (bug #545036) this is a potential DoS.  Re-designating.

GLSA Vote: No

@maintainer(s), please clean.