Description:
potrace is a utility that transforms bitmaps into vector graphics.
A crafted image revealed, through a fuzz testing, the presence of a invalid memory access.
The complete ASan output:
# potrace $FILE
potrace: warning: 48.crashes: premature end of file
ASAN:DEADLYSIGNAL
=================================================================
==13940==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7b865b800 (pc 0x7fd7ec5bcbf4 bp 0x7fff9ebad590 sp 0x7fff9ebad360 T0)
#0 0x7fd7ec5bcbf3 in findnext /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11
#1 0x7fd7ec5bcbf3 in getenv /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:478
#2 0x7fd7ec5c3ed9 in potrace_trace /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/potracelib.c:76:7
#3 0x4fea6e in process_file /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1102:10
#4 0x4f872b in main /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/main.c:1250:7
#5 0x7fd7eb4d961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#6 0x418fc8 in getenv (/usr/bin/potrace+0x418fc8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-gfx/potrace-1.13/work/potrace-1.13/src/decompose.c:436:11 in findnext
==13940==ABORTING
Affected version:
1.13
Fixed version:
1.14
Commit fix:
http://potrace.sourceforge.net/patches/potrace-1.13-CVE-2016-8685.patch
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8685
Timeline:
2016-08-26: bug discovered
2016-08-27: bug reported privately to upstream
2016-08-29: blog post about the issue
2016-10-16: CVE Assigned
2017-02-14: upstream released a patch
2017-02-20: upstream released 1.14
Note:
This bug was found with American Fuzzy Lop.
Permalink: