Hi I'll have a look. I understand tvat stretch has the fix. But do it use O2 mening it may not be fixed after all? Or is the O2 only affecting wheezy?
/ Ola Sent from a phone Den 2 apr 2017 11:07 skrev "Hugo Lefeuvre" <h...@debian.org>: > Hi Ola, > > > I do not have any objection on marking it as no-dsa, especially since it > is > > that already for jessie. > > > > However I thought I should have a check but I can not find a patch. The > > patch mentioned here, gives a 404. > > https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid- > memory-access-in-findnext-decompose-c/ > > > > Q1: What is the patch you have used? > > > > Q2: Is the problem still there for Stretch as well? > > No, the issue has already been fixed in Stretch, and the patch got > integrated in 1.14. You can still find it here[0]. > > It would be helpful if you could have a check, indeed ! I'd like to know > why the patch only "fixes" the issue for -O0 and -O1. > > I briefly asked myself whether it could be a good idea to upload the > package with a lower optimization level, but actually I think it would > be a very bad solution. > > If the problem still affects potrace with higher optimization levels, then > it means probably that something is still going wrong. > > Cheers, > Hugo > > [0] https://sources.debian.net/src/potrace/1.13-3/debian/ > patches/cve-2016-8685.patch/ > > -- > Hugo Lefeuvre (hle) | www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E >