Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 613992 (CVE-2016-7392) - <media-gfx/autotrace-0.31.1-r8: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c)
Summary: <media-gfx/autotrace-0.31.1-r8: heap-based buffer overflow in pstoedit_suffix...
Status: RESOLVED FIXED
Alias: CVE-2016-7392
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2016/09/...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 620802
Blocks:
  Show dependency tree
 
Reported: 2017-03-27 08:14 UTC by Agostino Sarubbo
Modified: 2017-08-26 14:48 UTC (History)
3 users (show)

See Also:
Package list:
media-gfx/autotrace-0.31.1-r8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-27 08:14:46 UTC
Details at $URL


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-31 05:38:41 UTC
CVE ID: CVE-2016-7392
   Summary: Heap-based buffer overflow in the pstoedit_suffix_table_init function in output-pstoedit.c in AutoTrace 0.31.1 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted bmp image file.
 Published: 2017-02-15T21:59:00.000Z
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:21:34 UTC
Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fcc7c830301a4ae876393e6ca0e1f74b7deca9f


@ Arches,

please test and mark stable: =media-gfx/autotrace-0.31.1-r8
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-04 15:20:30 UTC
Hi, it make no-sense stabilize the package since there is bug 619040.

I'd suggest to pmask.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 16:12:06 UTC
(In reply to Agostino Sarubbo from comment #3)
> Hi, it make no-sense stabilize the package since there is bug 619040.
> 
> I'd suggest to pmask.

I agree. I created a tracker bug. Package should get PMASKED by 2017-06-30.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-16 10:23:03 UTC
commit af14a9845810137c82742baf89bf3dd4fcbc9540
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Wed Aug 16 12:11:52 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Wed Aug 16 12:21:39 2017

    media-gfx/autotrace: Remove last-rited pkg, #620802
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-08-26 14:48:58 UTC
This issue was resolved and addressed in
 GLSA 201708-09 at https://security.gentoo.org/glsa/201708-09
by GLSA coordinator Aaron Bauman (b-man).