Hi Salvatore,
Sure feel free to do that but I doubt it's going to be fixed.
Upstream doesn't think it's a bug... and actually I agree with him on
this.
potrace will try to handle whatever size of input file is... if it's
bigger than available memory then it will fail.
But what exactly it should do in such case?
If main concern from security perspective is possibility to eat whole
memory then well... admin/user can limit its usage using ulimit or
something like that.
regards
fEnIo
On 2017-01-08 10:55, Salvatore Bonaccorso wrote:
Hi Bartosz,
On Sun, Jan 08, 2017 at 09:51:04AM +0000, Debian Bug Tracking System
wrote:
This is an automatic notification regarding your Bug report
which was filed against the potrace package:
#843861: potrace: CVE-2016-8685 CVE-2016-8686
It has been closed by Bartosz Fenski <fe...@debian.org>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Bartosz Fenski
<fe...@debian.org> by
replying to this email.
--
843861: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Date: Sun, 08 Jan 2017 09:48:26 +0000
From: Bartosz Fenski <fe...@debian.org>
To: 843861-cl...@bugs.debian.org
Subject: Bug#843861: fixed in potrace 1.13-3
Message-Id: <e1cqa5s-000844...@fasolo.debian.org>
Source: potrace
Source-Version: 1.13-3
We believe that the bug you reported is fixed in the latest version of
potrace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 843...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bartosz Fenski <fe...@debian.org> (supplier of updated potrace
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 8 Jan 2017 10:24:54 +0100
Source: potrace
Binary: potrace libpotrace0 libpotrace-dev
Architecture: source amd64
Version: 1.13-3
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fe...@debian.org>
Changed-By: Bartosz Fenski <fe...@debian.org>
Description:
libpotrace-dev - development files for potrace library
libpotrace0 - library for tracing bitmaps
potrace - utility to transform bitmaps into vector graphics
Closes: 843861
Changes:
potrace (1.13-3) unstable; urgency=high
.
* Fixes CVE-2016-8685 (Closes: #843861)
Thanks for fixing CVE-2016-8685. Note that #843861 was about two CVE's
so I guess I will clone #843861 for CVE-2016-8686 and adjust the
subjects.
Regards,
Salvatore
