Re: CVE-2016-8685 in potrace

[Ola Lundqvist <ola@inguza.com>]

Hi Hugo

I do not have any objection on marking it as no-dsa, especially since it is that already for jessie.

However I thought I should have a check but I can not find a patch. The patch mentioned here, gives a 404.

https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/

Q1: What is the patch you have used?

Q2: Is the problem still there for Stretch as well?

Best regards

// Ola

On 30 March 2017 at 16:29, Hugo Lefeuvre <hle@debian.org> wrote:

Hi,

potrace is affected by CVE-2016-8685 causing invalid memory
access and crash via crafted BMP images. This issue has already been
fixed since January in Stretch, and I wanted to backport the patch
for wheezy, but it turned out to be harder than excepted.

In fact the patch applies well, but it doesn't solve the issue when
potrace is built with optimization flags -O2 and above.

I tried to debug it, but debugging with optimization flags >2 is not very
handy. I also asked potrace's maintainer Bartosz Fenski, but he did not
answer yet.

Any advice about how to solve this kind of problems ?

Otherwise, if nobody is against it, I'd mark the issue no-dsa (the
issue is already no-dsa for Jessie).

Cheers,
 Hugo

--
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------