embedded copy of libpotrace is vulnerable to CVE-2013-7437

Bug #1438366 reported by Tyler Hicks on 2015-03-30
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Medium
jazzynico

Bug Description

It looks to me like Inkscape's embedded copy of libpotrace is vulnerable to CVE-2013-7437. Upstream potrace has released version 1.12 to address the vulnerability.

See the following links for some information on the vulnerability:

 https://bugzilla.redhat.com/show_bug.cgi?id=955808
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778646

Tyler Hicks (tyhicks) wrote :

I'm changing the report to 'Public Security' since the vulnerability and Inkscape's use of an embedded copy of libpotrace is public and common knowledge.

information type: Private Security → Public Security
jazzynico (jazzynico) on 2015-03-31
tags: added: code-design
Changed in inkscape:
status: New → Triaged
importance: Undecided → Medium
milestone: none → 0.92
jazzynico (jazzynico) on 2015-03-31
Changed in inkscape:
assignee: nobody → jazzynico (jazzynico)
status: Triaged → In Progress
jazzynico (jazzynico) wrote :

Fixed in the trunk, rev. 14037.
Thanks for the report, Tyler!

Changed in inkscape:
status: In Progress → Fix Committed
tags: added: backport-proposed
jazzynico (jazzynico) wrote :

Should not be too difficult to backport to 0.91.x.

jazzynico (jazzynico) wrote :

Backported to the 0.91.x branch, rev. 13745.

Changed in inkscape:
milestone: 0.92 → 0.91.1
tags: removed: backport-proposed
jazzynico (jazzynico) on 2017-01-22
Changed in inkscape:
milestone: 0.91.1 → 0.92
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers