Please sync potrace 1.12-1 from Debian Unstable (main)

Bug #1443467 reported by Alex Valavanis
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
potrace (Debian)
Fix Released
Unknown
potrace (Fedora)
Invalid
Low
potrace (Ubuntu)
Fix Released
High
Unassigned

Bug Description

This is required to fix a heap overflow issue (fixed upstream in potrace 1.12).

please see https://bugzilla.redhat.com/show_bug.cgi?id=955808

CVE-2013-7437: http://security-tracker.debian.org/tracker/CVE-2013-7437

CVE References

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :
Download full text (4.0 KiB)

Murray McAllister of the Red Hat Security Response Team reported the following potential vulnerability in potrace:

There is a possible issue in potrace-1.11-1.fc18.x86_64. The attached
bmp file (1.bmp) triggers it. I suspect less memory is allocated than
expected in bm_new() due to integer overflow. I have not investigated it
closely or the rest of the application yet.

$ potrace 1.bmp
*** glibc detected *** potrace: free(): invalid next size (fast):
0x0000000001263580 ***
======= Backtrace: =========
/usr/lib64/libc.so.6[0x3c6de7ca8e]
/usr/lib64/libpotrace.so.0[0x354ae0612f]
/usr/lib64/libpotrace.so.0(potrace_trace+0x106)[0x354ae06356]
potrace[0x40361b]
potrace[0x402c9f]
/usr/lib64/libc.so.6(__libc_start_main+0xf5)[0x3c6de21a05]
potrace[0x40303d]

..

==2042== Memcheck, a memory error detector
==2042== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==2042== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==2042== Command: potrace 1.bmp
==2042==
==2042== Invalid read of size 8
==2042== at 0x405F2D: bm_read (bitmap_io.c:615)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042== Address 0x4c14680 is 0 bytes after a block of size 0 alloc'd
==2042== at 0x4A0887C: malloc (vg_replace_malloc.c:270)
==2042== by 0x405069: bm_read (bitmap.h:66)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042==
==2042== Invalid write of size 8
==2042== at 0x405F31: bm_read (bitmap_io.c:615)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042== Address 0x4c14680 is 0 bytes after a block of size 0 alloc'd
==2042== at 0x4A0887C: malloc (vg_replace_malloc.c:270)
==2042== by 0x405069: bm_read (bitmap.h:66)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042==
==2042== Invalid read of size 8
==2042== at 0x405585: bm_read (bitmap_io.c:615)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042== Address 0x4c14688 is 8 bytes after a block of size 0 alloc'd
==2042== at 0x4A0887C: malloc (vg_replace_malloc.c:270)
==2042== by 0x405069: bm_read (bitmap.h:66)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042==
==2042== Invalid write of size 8
==2042== at 0x405589: bm_read (bitmap_io.c:615)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042== Address 0x4c14688 is 8 bytes after a block of size 0 alloc'd
==2042== at 0x4A0887C: malloc (vg_replace_malloc.c:270)
==2042== by 0x405069: bm_read (bitmap.h:66)
==2042== by 0x4035A0: process_file.isra.3 (main.c:1056)
==2042== by 0x402C9E: main (main.c:1212)
==2042==
potrace: warning: 1.bmp: premature end of file

valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing
past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by ...

Read more...

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Created attachment 739156
reproducer

A reproducer that illustrates the issue.

Revision history for this message
In , Stefan (stefan-redhat-bugs) wrote :

Created attachment 753803
reproducer 2.bmp

Revision history for this message
In , Stefan (stefan-redhat-bugs) wrote :

Created attachment 753804
reproducer 3.bmp

Revision history for this message
In , Marcus (marcus-redhat-bugs) wrote :

CVE-2013-7437

Changed in potrace (Debian):
status: Unknown → Fix Released
information type: Public → Public Security
Revision history for this message
Daniel Holbach (dholbach) wrote :

I requested a sync, but it's in the release team review queue now: https://launchpad.net/ubuntu/vivid/+queue?queue_state=1&queue_text=potrace

Please set the bug status to 'fix released' once it lands manually.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

potrace 1.12-1 has been released in Vivid. Thanks!

Changed in potrace (Ubuntu):
status: Triaged → Fix Released
Changed in potrace (Fedora):
importance: Unknown → Low
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.