CVE-2016-8702 Potrace Project CVE debrief

Who should care

Administrators, developers, and product teams using Potrace before 1.13, especially in workflows that accept or convert untrusted BMP files.

Technical summary

NVD classifies this as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The vulnerable code path is bm_readbody_bmp() in bitmap_io.c. The NVD CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and the affected CPE range is Potrace through version 1.12. The record references vendor and third-party advisories, including the Potrace ChangeLog and OSS security mailing list posts.

Defensive priority

High for any environment that processes BMP files from untrusted or semi-trusted sources; otherwise medium but still worth scheduling promptly because the flaw is memory-corruption in a file parser.

Recommended defensive actions

• Upgrade Potrace to version 1.13 or later.
• Inventory applications and services that embed or invoke Potrace and confirm which version they ship.
• Treat BMP files from untrusted sources as hostile input and restrict where they are accepted.
• Run file-processing components with least privilege and, where possible, in a sandbox or isolated service.
• Watch for crashes or abnormal behavior in any BMP conversion or tracing workflows until patched.
• If an upgrade is not immediately possible, backport the vendor fix from the 1.13 release line if your distribution supports it.

Evidence notes

The supplied NVD record shows CVE-2016-8702 published on 2017-01-31 and modified on 2026-05-13. It identifies a heap-based buffer overflow in bm_readbody_bmp() in bitmap_io.c, assigns CWE-119, and lists Potrace versions through 1.12 as vulnerable. References in the record include the Potrace ChangeLog, OSS-security mailing list advisories, a SecurityFocus entry, and a Gentoo security note.

Official resources