Bugzilla – Bug 924904
VUL-0: CVE-2013-7437: potrace: possible heap overflow
Last modified: 2015-11-04 16:16:53 UTC
rh#955808 Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow. References: https://bugzilla.redhat.com/show_bug.cgi?id=955808 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7437 http://www.openwall.com/lists/oss-security/2015/02/06/12 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778646
bugbot adjusting priority
Upgrading for Factory and applying the patch in the Debian bug for released products. I just verified that it is equal to the fix, which is part of potrace-1.12.
Created maintenance request https://build.opensuse.org/request/show/294254 for openSUSE. Did a version upgrade for Factory: https://build.opensuse.org/request/show/294238 Package does not exist in SLE.
(In reply to Stanislav Brabec from comment #3) > Created maintenance request https://build.opensuse.org/request/show/294254 > for openSUSE. Thanks, handling the request and setting assignee back to security team. Upstream does not seem to have a source code repository anywhere?
I am not aware of any upstream repository. But the attached patch represents all code changes in the latest version (not counting generated files and copyright+version comments).
releasing
openSUSE-SU-2015:0685-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 924904 CVE References: CVE-2013-7437 Sources used: openSUSE 13.2 (src): potrace-1.11-4.4.1 openSUSE 13.1 (src): potrace-1.11-2.4.1
openSUSE-SU-2015:1909-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 924904 CVE References: CVE-2013-7437 Sources used: openSUSE Leap 42.1 (src): potrace-1.13-5.1 openSUSE 13.2 (src): potrace-1.13-4.7.1 openSUSE 13.1 (src): potrace-1.13-2.7.1