CVE-2016-8700 Potrace Project CVE debrief

Who should care

Anyone operating or packaging potrace 1.12 or earlier, especially systems that process untrusted BMP images. Downstream distributors and application maintainers that bundle potrace should also verify they are not shipping a vulnerable build.

Technical summary

The vulnerable function is bm_readbody_bmp in bitmap_io.c, where parsing a crafted BMP can lead to a heap-based buffer overflow. NVD maps the issue to CWE-119 and lists affected potrace versions up to and including 1.12. The record also shows a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, so the practical exposure should be understood in light of user interaction and local execution context, even though the CVE description refers to a remote attacker and crafted image input.

Defensive priority

High

Recommended defensive actions

• Upgrade potrace to version 1.13 or later.
• Inventory all direct and bundled uses of potrace 1.12 and earlier.
• Treat BMP files from untrusted sources as dangerous input until affected systems are updated.
• If immediate upgrading is not possible, restrict where potrace can be used and reduce exposure to untrusted image content.
• Check downstream packages and appliances for backported fixes or lingering vulnerable versions.

Evidence notes

Primary evidence comes from the NVD CVE record and its cited references. The NVD data lists the vulnerability as a heap-based buffer overflow in bm_readbody_bmp in bitmap_io.c, affects potrace versions through 1.12, and maps it to CWE-119. The source references include the potrace ChangeLog, oss-security posts from 2016-08-18 and 2016-10-16, a SecurityFocus entry, and a Gentoo advisory blog post. The CVE record was published on 2017-01-31 and later modified on 2026-05-13. The record contains a notable wording mismatch: the prose description says remote attackers may trigger the issue with a crafted BMP image, while the CVSS vector indicates AV:L and UI:R.

Official resources