Hi Hugo I do not have any objection on marking it as no-dsa, especially since it is that already for jessie.
However I thought I should have a check but I can not find a patch. The patch mentioned here, gives a 404. https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/ Q1: What is the patch you have used? Q2: Is the problem still there for Stretch as well? Best regards // Ola On 30 March 2017 at 16:29, Hugo Lefeuvre <h...@debian.org> wrote: > Hi, > > potrace is affected by CVE-2016-8685 causing invalid memory > access and crash via crafted BMP images. This issue has already been > fixed since January in Stretch, and I wanted to backport the patch > for wheezy, but it turned out to be harder than excepted. > > In fact the patch applies well, but it doesn't solve the issue when > potrace is built with optimization flags -O2 and above. > > I tried to debug it, but debugging with optimization flags >2 is not very > handy. I also asked potrace's maintainer Bartosz Fenski, but he did not > answer yet. > > Any advice about how to solve this kind of problems ? > > Otherwise, if nobody is against it, I'd mark the issue no-dsa (the > issue is already no-dsa for Jessie). > > Cheers, > Hugo > > -- > Hugo Lefeuvre (hle) | www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
