Your submission was sent successfully! Close

CVE-2013-7437

Published: 29 March 2015

Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

Priority

Low

Status

Package Release Status
inkscape
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system potrace)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(no attack vector)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [no attack vector])
potrace
Launchpad, Ubuntu, Debian
Upstream
Released (1.12)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.12-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.12-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778646#42 (from upstream maintainer)

Notes

AuthorNote
tyhicks
inkscape in xenial and earlier embeds libpotrace (LP: #1156664)
I don't see a public development tree for potrace but comment #42 of
the Debian bug contains a broken out patch from the upstream potrace
maintainer
mdeslaur
potrace in inkscape works on bitmaps already loaded, not
arbitrary images. Marking as not-affected for inkscape.

References

Bugs