CVE-2016-8695 Potrace Project CVE debrief

Who should care

Organizations and developers that use Potrace 1.12 or earlier, especially in workflows that accept untrusted BMP images or run image conversion in user-facing services.

Technical summary

The flaw is a NULL pointer dereference (CWE-476) in bm_readbody_bmp within bitmap_io.c. NVD’s CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, reflecting a crash/availability impact when a crafted BMP is processed. The CVE description says the input is a crafted BMP image and notes this is distinct from CVE-2016-8694 and CVE-2016-8696.

Defensive priority

Medium. The impact is availability-only, but it affects parsing of attacker-supplied image content and can cause immediate crashes in exposed conversion workflows.

Recommended defensive actions

• Upgrade Potrace to version 1.13 or later.
• Inventory systems that ship or embed Potrace 1.12 or earlier.
• Treat BMP files from untrusted sources as risky input and process them in a sandboxed or isolated service where possible.
• Add crash monitoring around image-conversion jobs so malformed inputs are easier to detect and triage.

Evidence notes

The NVD record identifies the weakness as CWE-476 and lists the affected CPE range as Potrace through version 1.12, with no later vulnerable range specified. The CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Reference material in the record points to the Potrace ChangeLog, oss-security advisories, a Gentoo blog analysis, and a SecurityFocus entry.

Official resources