CVE-2016-8701 Potrace Project CVE debrief

Who should care

Administrators, developers, and security teams responsible for software that uses Potrace to process BMP files should care most, especially if those images can come from untrusted sources. Package maintainers should also verify whether downstream builds have the fix backported.

Technical summary

The vulnerability is a heap-based buffer overflow in bm_readbody_bmp in bitmap_io.c, tracked as CWE-119. The NVD record marks Potrace versions up to and including 1.12 as affected and indicates that upgrading to 1.13 or later is the relevant remediation boundary. The CVSS 3.0 vector is 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), so user interaction is required for the vulnerable code path to be reached.

Defensive priority

High. Prioritize remediation on any system or application that processes untrusted BMP input with Potrace 1.12 or earlier, or that bundles Potrace as a dependency.

Recommended defensive actions

• Upgrade Potrace to version 1.13 or a vendor package that clearly includes the fix.
• Inventory applications, libraries, and pipelines that invoke Potrace for BMP processing and confirm their bundled version.
• Treat BMP files from untrusted sources as potentially dangerous and limit where they are opened or processed.
• Use sandboxing, least privilege, and process isolation for any image-conversion workflow that depends on Potrace.
• Verify downstream distributions or vendor packages for backported fixes if a direct upgrade is not immediately possible.

Evidence notes

The supplied NVD record describes a heap-based buffer overflow in bm_readbody_bmp in bitmap_io.c, identifies CWE-119, and lists affected versions through 1.12. The reference set includes the upstream Potrace ChangeLog, two oss-security mailing-list posts from 2016, a SecurityFocus entry, and a Gentoo advisory-style blog post dated 2016-08-08, indicating that the issue was discussed before the NVD publication date of 2017-01-31.

Official resources