Bugzilla – Bug 1005026
VUL-0: CVE-2016-8685: potrace: invalid memory access in findnext (decompose.c)
Last modified: 2017-05-18 06:38:39 UTC
CVE-2016-8685 From: Agostino Sarubbo Description: potrace is a utility that transforms bitmaps into vector graphics. A crafted image revealed, through a fuzz testing, the presence of a invalid memory access. The complete ASan output: # potrace $FILE potrace: warning: 48.crashes: premature end of file ASAN:DEADLYSIGNAL ================================================================= ==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc 0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0) #0 0x7fd7ec5bcbf3 in findnext /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 #1 0x7fd7ec5bcbf3 in getenv /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:478 #2 0x7fd7ec5c3ed9 in potrace_trace /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/potracelib.c:76:7 #3 0x4fea6e in process_file /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/main.c:1102:10 #4 0x4f872b in main /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/main.c:1250:7 #5 0x7fd7eb4d961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x418fc8 in getenv (/usr/bin/potrace+0x418fc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media- gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 in findnext ==13940==ABORTING Affected version: 1.13 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8685 http://seclists.org/oss-sec/2016/q4/150
I asked for the reproducer, will attach it once he replies
bugbot adjusting priority
Created attachment 700934 [details] Reproducer File for reproducing the issue
Fix is available for public. February 19, 2017: Release 1.14 This release consists of bugfixes and minor portability improvements. A number of bugs triggered by malformed BMP files have been fixed, including CVE-2016-8685 and CVE-2016-8686. Error reporting has been improved. The image size is now truncated when the bitmap data ends prematurely. It is now possible to use negative dy in bitmap data. Portability has been improved to encompass C++11. The default compiler is now clang if available. Thanks to Nelson Beebe and Martin Gieseking for reporting portability issues, and to Agostino Sarubbo for reporting bugs.
http://potrace.sourceforge.net/patches/potrace-1.13-CVE-2016-8685.patch (from http://seclists.org/oss-sec/2017/q1/517 message)
Mikhail Kasimov: Do you have a copy of this patch? Now it returns 404.
The changelog also mentions CVE-2016-8686.
(In reply to Stanislav Brabec from comment #6) > Mikhail Kasimov: Do you have a copy of this patch? Now it returns 404. No. But try this link: https://sources.debian.net/patches/potrace/1.13-3/cve-2016-8685.patch/
Created attachment 715720 [details] cve-2016-8685.patch
Thanks. This patch apparently does not cover CVE-2016-8686. Looking at the diff, the changes in are patch for CVE-2016-8686 (bm_new()) are much larger. Additionally, the new check getsize() is inlined to more files and used in more places. I think that the version update is safe in this case. Submitted: http://build.opensuse.org/request/show/460905 http://build.opensuse.org/request/show/460906
*** Bug 1005027 has been marked as a duplicate of this bug. ***
openSUSE-SU-2017:0648-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1005026 CVE References: CVE-2016-8685,CVE-2016-8686 Sources used: openSUSE Leap 42.2 (src): potrace-1.14-8.1 openSUSE Leap 42.1 (src): potrace-1.14-8.1