Bug 1005026 - (CVE-2016-8685) VUL-0: CVE-2016-8685: potrace: invalid memory access in findnext (decompose.c)
VUL-0: CVE-2016-8685: potrace: invalid memory access in findnext (decompose.c)
: CVE-2016-8686 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Stanislav Brabec
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-10-17 08:59 UTC by Johannes Segitz
Modified: 2017-05-18 06:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Reproducer (128 bytes, image/bmp)
2016-11-07 14:44 UTC, Johannes Segitz
cve-2016-8685.patch (973 bytes, patch)
2017-02-28 13:31 UTC, Mikhail Kasimov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-17 08:59:33 UTC

From: Agostino Sarubbo
potrace is a utility that transforms bitmaps into vector graphics.

A crafted image revealed, through a fuzz testing, the presence of a invalid
memory access.

The complete ASan output:

# potrace $FILE
potrace: warning: 48.crashes: premature end of file
==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc
0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0)
    #0 0x7fd7ec5bcbf3 in findnext /var/tmp/portage/media-
    #1 0x7fd7ec5bcbf3 in getenv /var/tmp/portage/media-
    #2 0x7fd7ec5c3ed9 in potrace_trace /var/tmp/portage/media-
    #3 0x4fea6e in process_file /var/tmp/portage/media-
    #4 0x4f872b in main /var/tmp/portage/media-
    #5 0x7fd7eb4d961f in __libc_start_main /var/tmp/portage/sys-
    #6 0x418fc8 in getenv (/usr/bin/potrace+0x418fc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-
gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 in findnext
Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.

Comment 1 Johannes Segitz 2016-10-17 08:59:55 UTC
I asked for the reproducer, will attach it once he replies
Comment 2 Swamp Workflow Management 2016-10-17 22:01:21 UTC
bugbot adjusting priority
Comment 3 Johannes Segitz 2016-11-07 14:44:40 UTC
Created attachment 700934 [details]

File for reproducing the issue
Comment 4 Stanislav Brabec 2017-02-21 14:08:14 UTC
Fix is available for public.

February 19, 2017: Release 1.14

 This release consists of bugfixes and minor portability improvements.
 A number of bugs triggered by malformed BMP files have been fixed,
 including CVE-2016-8685 and CVE-2016-8686. Error reporting has been
 improved. The image size is now truncated when the bitmap data ends
 prematurely. It is now possible to use negative dy in bitmap
 data. Portability has been improved to encompass C++11. The default
 compiler is now clang if available. Thanks to Nelson Beebe and Martin
 Gieseking for reporting portability issues, and to Agostino Sarubbo
 for reporting bugs.
Comment 6 Stanislav Brabec 2017-02-28 13:16:54 UTC
Mikhail Kasimov: Do you have a copy of this patch? Now it returns 404.
Comment 7 Stanislav Brabec 2017-02-28 13:19:43 UTC
The changelog also mentions CVE-2016-8686.
Comment 8 Mikhail Kasimov 2017-02-28 13:30:07 UTC
(In reply to Stanislav Brabec from comment #6)
> Mikhail Kasimov: Do you have a copy of this patch? Now it returns 404.

No. But try this link: https://sources.debian.net/patches/potrace/1.13-3/cve-2016-8685.patch/
Comment 9 Mikhail Kasimov 2017-02-28 13:31:59 UTC
Created attachment 715720 [details]
Comment 10 Stanislav Brabec 2017-02-28 15:32:01 UTC
Thanks. This patch apparently does not cover CVE-2016-8686.

Looking at the diff, the changes in are patch for CVE-2016-8686 (bm_new()) are much larger. Additionally, the new check getsize() is inlined to more files and used in more places.

I think that the version update is safe in this case.

Comment 11 Stanislav Brabec 2017-03-02 18:14:49 UTC
*** Bug 1005027 has been marked as a duplicate of this bug. ***
Comment 12 Swamp Workflow Management 2017-03-10 02:07:38 UTC
openSUSE-SU-2017:0648-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005026
CVE References: CVE-2016-8685,CVE-2016-8686
Sources used:
openSUSE Leap 42.2 (src):    potrace-1.14-8.1
openSUSE Leap 42.1 (src):    potrace-1.14-8.1