Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626820 (CVE-2017-12067)

Summary: <media-gfx/potrace-1.15: heap-based buffer over-read (CVE-2017-12067)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fonts, graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=media-gfx/potrace-1.15
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 610062, 614056    

Description Aleksandr Wagner (Kivak) 2017-08-01 17:49:22 UTC 
CVE-2017-12067 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12067):

Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubic function in mkbitmap.c. 

References:

https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap
Comment 1 Aleksandr Wagner (Kivak) 2017-09-21 02:09:46 UTC 
Version 1.15 is now in the tree.

Keywords for media-gfx/potrace:
     |                                 |   u   |  
     | a a         p   a     n r     s |   n   |  
     | l m   h i   p   r m m i i s   p | e u s | r
     | p d a p a p c x m i 6 o s 3   a | a s l | e
     | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
     | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
-----+---------------------------------+-------+-------
1.13 | + + + + + + + + o o o o o ~ ~ + | 5 o 0 | gentoo
1.14 | + + + ~ + + + + ~ o o o o ~ ~ + | 5 o   | gentoo
1.15 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o o ~ ~ ~ | 6 o   | gentoo

@Maintainer(s): Please state when version 1.15 is ready for stabilization, thank you.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-19 12:01:08 UTC 
x86 stable
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2017-10-19 12:43:54 UTC 
Stable on amd64
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-20 19:44:40 UTC 
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-21 17:34:35 UTC 
ppc/ppc64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:48:49 UTC 
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2017-10-24 17:36:52 UTC 
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-25 21:31:47 UTC 
hppa stable
Comment 9 Aleksandr Wagner (Kivak) 2017-10-25 22:03:04 UTC 
Stabilization has been complete, thank you arches.

@ Maintainer(s): Please clean the vulnerable versions from the tree.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 01:18:54 UTC 
PoC [1] shows crash (DoS).  No PoC for ACE/RCE.

[1]: https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap

GLSA Vote: No
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-01-19 23:48:05 UTC 
@maintainer(s), please clean the vulnerable versions.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 16:31:54 UTC 
(In reply to Aaron Bauman from comment #11)
> @maintainer(s), please clean the vulnerable versions.

To ensure it is not missed... sparc has two stable versions with the vulnerable ebuilds, but is now an unstable arch.  So the maintainer is left with the decision.
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 16:10:07 UTC 
@Maintaineres it's been over 4 months since all arches are done, I'm CCing sparc to let them know that they need to stabilize, but if they don't respond quickly, please finish cleanup.

Thank you,
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-22 22:51:39 UTC 
commit cc1662e218a1e2f6941e6e07ff325f0bcb12438d
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Thu Mar 22 18:10:36 2018 +0100

    media-gfx/potrace: stable 1.15 for sparc, bug #626820
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-03-23 23:30:51 UTC 
tree is clean