Hi, potrace is affected by CVE-2016-8685 causing invalid memory access and crash via crafted BMP images. This issue has already been fixed since January in Stretch, and I wanted to backport the patch for wheezy, but it turned out to be harder than excepted.
In fact the patch applies well, but it doesn't solve the issue when
potrace is built with optimization flags -O2 and above.
I tried to debug it, but debugging with optimization flags >2 is not very
handy. I also asked potrace's maintainer Bartosz Fenski, but he did not
answer yet.
Any advice about how to solve this kind of problems ?
Otherwise, if nobody is against it, I'd mark the issue no-dsa (the
issue is already no-dsa for Jessie).
Cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
