Hi,

potrace is affected by CVE-2016-8685 causing invalid memory
access and crash via crafted BMP images. This issue has already been
fixed since January in Stretch, and I wanted to backport the patch
for wheezy, but it turned out to be harder than excepted.

In fact the patch applies well, but it doesn't solve the issue when
potrace is built with optimization flags -O2 and above.

I tried to debug it, but debugging with optimization flags >2 is not very
handy. I also asked potrace's maintainer Bartosz Fenski, but he did not
answer yet.

Any advice about how to solve this kind of problems ?

Otherwise, if nobody is against it, I'd mark the issue no-dsa (the
issue is already no-dsa for Jessie).

Cheers,
 Hugo

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply via email to