This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685
and CVE-2016-8686 (which was previously described as not a bug in
#843861).
Unfortunately, it is somewhat large...
https://github.com/skyrpex/potrace/commit/b3fce824046abcc0465deb5596d4556b132c77aa
--
Brian May
https
> This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685
> and CVE-2016-8686 (which was previously described as not a bug in
> #843861).
>
> Unfortunately, it is somewhat large...
>
> https://github.com/skyrpex/potrace/commit/b3fce824046abcc0465deb5596d45
Hugo Lefeuvre writes:
>> This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685
>> and CVE-2016-8686 (which was previously described as not a bug in
>> #843861).
>>
>> Unfortunately, it is somewhat large...
>>
>>
Hi Brian,
> It looks like the bm_new() function, referenced by CVE-2016-8686 has
> been refactored. In particular the size calculation has been moved to a
> getsize function.
>
> Unfortunately the description of CVE-2016-8686 is vague - "A crafted
> image, through a fuzz testing, causes the memor
Hugo Lefeuvre writes:
> I think this is a crafted file.
>
> By the way, where did you find the reproducer ? I can't find it
> anywhere.
It was sent on the oss-security list as an attachment, but the HTML
archive strips attachments.
http://www.openwall.com/lists/oss-security/2016/10/10/1
So I h
Hi Brian,
> > I think this is a crafted file.
$ hexdump potrace_testcase
000 4d42 00e2 0001 006c
010 0029 0001 4000 0001 0020 0003
020 1703 00ff ff00 80ff f200
030 ff00 0005 7900 0001
040 fff2 1200 000b 1200
Hugo Lefeuvre writes:
> Would it help to add a check after the malloc call, that would make sure
> that malloc-ed memory is really available ?
>
> Something like:
>
> bm->map = (potrace_word *) malloc(size);
> if (!bm->map || malloc_usable_size(bm->map) != size) {
> free(bm);
> return NUL
Hugo Lefeuvre writes:
> Whether CVE-2016-8686 is really exploitable in practice or not is another
> question.
I note this issue was marked no-dsa for wheezy.
--
Brian May
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of potrace:
https://security-tracker.debian.org/tracker/source-package/potrace
Would you like to take care of this yourself?
If yes, please follow the workflow we
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of potrace:
https://security-tracker.debian.org/tracker/source-package/potrace
Would you like to take care of this yourself?
If yes, please follow the workflow we
Hi,
potrace is affected by CVE-2016-8685 causing invalid memory
access and crash via crafted BMP images. This issue has already been
fixed since January in Stretch, and I wanted to backport the patch
for wheezy, but it turned out to be harder than excepted.
In fact the patch applies well, but it
Hi Hugo
I do not have any objection on marking it as no-dsa, especially since it is
that already for jessie.
However I thought I should have a check but I can not find a patch. The
patch mentioned here, gives a 404.
https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in
Hi Ola,
> I do not have any objection on marking it as no-dsa, especially since it is
> that already for jessie.
>
> However I thought I should have a check but I can not find a patch. The
> patch mentioned here, gives a 404.
> https://blogs.gentoo.org/ago/2016/08/29/potr
ion on marking it as no-dsa, especially since it
> is
> > that already for jessie.
> >
> > However I thought I should have a check but I can not find a patch. The
> > patch mentioned here, gives a 404.
> > https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-
> memor
ve a check but I can not find a patch. The
>> patch mentioned here, gives a 404.
>> https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/
>>
>> Q1: What is the patch you have used?
>>
>> Q2: Is the problem still there for Stretch
ound, exit with x=%d\n", x);
fclose(fl);
return 1;
}
(probably lots of useless fflush-es, but that doesn't matter)
1) When //fprintf(fl, "x=%d\n", x); is commented, potrace crashes and the log
file only contains "Starting test".
2) If we uncomment it, potraces does no
; fflush(fl);
> x++;
> }
> /* found */
> *xp = x;
> *yp = y;
> fclose(fl);
> return 0;
> }
> }
> x0 = 0;
> }
> /* not found */
> fprintf(fl, "Nothing found, exit with x=%d
On Sun, 2017-04-02 at 22:43 +0200, Ola Lundqvist wrote:
> Hi Hugo
>
> I have looked at the correction in combination with the new and old
> source code.
>
> The short summary is that this could very well be optimized away by
> the optimizer, at least if it is a buggy optimizer.
[...]
> So if you
Hi Ben, Ola,
> This seems to be a correct optimisation. Overflow/underflow on signed
> arithmetic has undefined behaviour, therefore standard C code will not
> allow it to happen and the compiler may rely on that. If the code does
> actually cause an overflow, literally anything can result.
>
>
Hi
I do not have a strong preference for wheezy. Long term I agree with you.
/ Ola
Sent from a phone
Den 4 apr 2017 11:33 skrev "Hugo Lefeuvre" :
> Hi Ben, Ola,
>
> > This seems to be a correct optimisation. Overflow/underflow on signed
> > arithmetic has undefined behaviour, therefore standa
On Tue, 2017-04-04 at 11:32 +0200, Hugo Lefeuvre wrote:
> Hi Ben, Ola,
>
> > This seems to be a correct optimisation. Overflow/underflow on signed
> > arithmetic has undefined behaviour, therefore standard C code will not
> > allow it to happen and the compiler may rely on that. If the code does
Hi Ben
You definitely have a good point there. :-)
// Ola
On 4 April 2017 at 15:23, Ben Hutchings wrote:
> On Tue, 2017-04-04 at 11:32 +0200, Hugo Lefeuvre wrote:
>> Hi Ben, Ola,
>>
>> > This seems to be a correct optimisation. Overflow/underflow on signed
>> > arithmetic has undefined behavio
Hi Ben,
> > You're right ! Compiling with -fwrapv fixes the problem.
> >
> > Alternatively we could use the attached patch that also seems to fix the
> > problem.
>
> Do you really think this is the only place the code relies on wrapping
> behaviour?
Hum, yes I didn't think of that... Then we c
Hi,
I have prepared the potrace update fixing CVE-2016-8685 and would like
to upload it. However, I had to modify debian/rules slightly more than
excepted because in its current state, the CFLAGS variable defined by
debian/rules isn't passed properly to the configure script. Actually
CFLA
Hi Hugo
Looks good to me.
The mistake regarding CFILES is quite understandable considering that it
just had very common things in it. Very easy to miss that.
Best regards
// Ola
On 9 April 2017 at 01:33, Hugo Lefeuvre wrote:
> Hi,
>
> I have prepared the potrace update fixing CVE-
Hhjhjjhkghtefgfhhh
Le 9 avr. 2017 4:09 PM, "Hugo Lefeuvre" a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Package: potrace
> Version: 1.10-1+deb7u2
> CVE ID : CVE-2016-8685
> Debian Bug : 843861
>
> It was d
26 matches
Mail list logo
