Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610062 (CVE-2016-8685) - <media-gfx/potrace-1.14: invalid memory read and memory allocation failure (CVE-2016-8685)
Summary: <media-gfx/potrace-1.14: invalid memory read and memory allocation failure (C...
Status: RESOLVED FIXED
Alias: CVE-2016-8685
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-12067
Blocks:
  Show dependency tree
 
Reported: 2017-02-20 08:10 UTC by Agostino Sarubbo
Modified: 2017-10-26 01:19 UTC (History)
3 users (show)

See Also:
Package list:
=media-gfx/potrace-1.14
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-02-20 08:10:19 UTC
Potrace 1.14 fixes an invalid memory read and a memory allocation failure:

https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/

https://blogs.gentoo.org/ago/2016/08/29/potrace-memory-allocation-failure/
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 19:10:53 UTC
CVE-2016-8685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8685):
  The findnext function in decompose.c in potrace 1.13 allows remote attackers
  to cause a denial of service (invalid memory access and crash) via a crafted
  BMP image.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 19:11:49 UTC
@ Maintainer(s): Can we already start stabilization of =media-gfx/potrace-1.14?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 16:57:19 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

If nothing in a week will cal for stabilization on May 7th.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-06-03 06:37:23 UTC
Time out on maintainers!

Arches, please test and mark stable:
=media-gfx/potrace-1.14
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-03 07:54:27 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-04 10:42:55 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-04 19:23:02 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-06-08 05:05:30 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-10 13:45:35 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 15:11:42 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:01 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-06-21 11:57:49 UTC
ppc stable
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:54:39 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-16 20:39:45 UTC
hppa stable
Comment 15 Aleksandr Wagner (Kivak) 2017-10-16 21:11:32 UTC
Stabilization is complete, thank you arches.

@Maintainer(s): Please clean the vulnerable version from the tree.

@Security: Please vote on whether a glsa is needed or not.

Gentoo Security Padawan
Kivak
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 01:19:24 UTC
GLSA Vote: No

Cleanup tracked in bug #626820