CVE-2016-8686

Published: 31 January 2017

The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
inkscape
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system potrace)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system potrace)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system potrace)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system potrace)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(no attack vector)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [no attack vector])
potrace
Launchpad, Ubuntu, Debian
Upstream
Released (1.14)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.14-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.14-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.14-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.14-2)
Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)

Notes

AuthorNote
tyhicks
inkscape in xenial and earlier embeds libpotrace (LP: #1156664)
mdeslaur
potrace in inkscape works on bitmaps already loaded, not
arbitrary images. Marking as not-affected for inkscape.

References