CVE-2017-7263

Priority
Low
Description
The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) or possibly have unspecified other impact via a crafted
BMP image. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2016-8698.
References
Bugs
Notes
 tyhicks> inkscape in xenial and earlier embeds libpotrace (LP: #1156664)
 mdeslaur> potrace in inkscape works on bitmaps already loaded, not
 mdeslaur> arbitrary images. Marking as not-affected for inkscape.
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):not-affected (uses system potrace)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (no attack vector)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (no attack vector)
Ubuntu 17.04 (Zesty Zapus):not-affected (uses system potrace)
More Information

Updated: 2017-08-17 13:14:15 UTC (commit 13118)