Your submission was sent successfully! Close

CVE-2016-8696

Published: 31 January 2017

The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8694 and CVE-2016-8695.

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
inkscape
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system potrace)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(no attack vector)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [no attack vector])
potrace
Launchpad, Ubuntu, Debian
Upstream
Released (1.13)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.14-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.13-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)

Notes

AuthorNote
tyhicks
inkscape in xenial and earlier embeds libpotrace (LP: #1156664)
mdeslaur
potrace in inkscape works on bitmaps already loaded, not
arbitrary images. Marking as not-affected for inkscape.

References