Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610062 (CVE-2016-8685)

Summary: <media-gfx/potrace-1.14: invalid memory read and memory allocation failure (CVE-2016-8685)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fonts, graphics+disabled, hendrik
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=media-gfx/potrace-1.14
 Runtime testing required: ---
Bug Depends on: 626820    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2017-02-20 08:10:19 UTC 
Potrace 1.14 fixes an invalid memory read and a memory allocation failure:

https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/

https://blogs.gentoo.org/ago/2016/08/29/potrace-memory-allocation-failure/
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 19:10:53 UTC 
CVE-2016-8685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8685):
  The findnext function in decompose.c in potrace 1.13 allows remote attackers
  to cause a denial of service (invalid memory access and crash) via a crafted
  BMP image.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 19:11:49 UTC 
@ Maintainer(s): Can we already start stabilization of =media-gfx/potrace-1.14?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 16:57:19 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

If nothing in a week will cal for stabilization on May 7th.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-06-03 06:37:23 UTC 
Time out on maintainers!

Arches, please test and mark stable:
=media-gfx/potrace-1.14
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-03 07:54:27 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-04 10:42:55 UTC 
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-04 19:23:02 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-06-08 05:05:30 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-10 13:45:35 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 15:11:42 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:01 UTC 
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-06-21 11:57:49 UTC 
ppc stable
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:54:39 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-16 20:39:45 UTC 
hppa stable
Comment 15 Aleksandr Wagner (Kivak) 2017-10-16 21:11:32 UTC 
Stabilization is complete, thank you arches.

@Maintainer(s): Please clean the vulnerable version from the tree.

@Security: Please vote on whether a glsa is needed or not.

Gentoo Security Padawan
Kivak
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 01:19:24 UTC 
GLSA Vote: No

Cleanup tracked in bug #626820