Hi Ola,
> I do not have any objection on marking it as no-dsa, especially since it is
> that already for jessie.
>
> However I thought I should have a check but I can not find a patch. The
> patch mentioned here, gives a 404.
> https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/
>
> Q1: What is the patch you have used?
>
> Q2: Is the problem still there for Stretch as well?
No, the issue has already been fixed in Stretch, and the patch got
integrated in 1.14. You can still find it here[0].
It would be helpful if you could have a check, indeed ! I'd like to know
why the patch only "fixes" the issue for -O0 and -O1.
I briefly asked myself whether it could be a good idea to upload the
package with a lower optimization level, but actually I think it would
be a very bad solution.
If the problem still affects potrace with higher optimization levels, then
it means probably that something is still going wrong.
Cheers,
Hugo
[0] https://sources.debian.net/src/potrace/1.13-3/debian/patches/cve-2016-8685.patch/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Attachment:
signature.asc
Description: PGP signature