Hi Ola, > I do not have any objection on marking it as no-dsa, especially since it is > that already for jessie. > > However I thought I should have a check but I can not find a patch. The > patch mentioned here, gives a 404. > https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/ > > Q1: What is the patch you have used? > > Q2: Is the problem still there for Stretch as well?
No, the issue has already been fixed in Stretch, and the patch got integrated in 1.14. You can still find it here[0]. It would be helpful if you could have a check, indeed ! I'd like to know why the patch only "fixes" the issue for -O0 and -O1. I briefly asked myself whether it could be a good idea to upload the package with a lower optimization level, but actually I think it would be a very bad solution. If the problem still affects potrace with higher optimization levels, then it means probably that something is still going wrong. Cheers, Hugo [0] https://sources.debian.net/src/potrace/1.13-3/debian/patches/cve-2016-8685.patch/ -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature