CVE-2016-8703 Potrace Project CVE debrief

Who should care

Security and platform teams that package, ship, or use Potrace; downstream distributors; and any environment where users may open or convert untrusted BMP images.

Technical summary

NVD classifies the issue as CWE-119 (improper restriction of operations within the bounds of a memory buffer). The vulnerable code path is bm_readbody_bmp in bitmap_io.c, and the affected version range is Potrace up to 1.12 (i.e., before 1.13). The NVD CVSS v3.0 vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting that user interaction is required to process the crafted image.

Defensive priority

High. This is a memory-corruption issue in image parsing with potential high impact, and it should be prioritized for upgrade or backporting in any supported deployment.

Recommended defensive actions

• Upgrade Potrace to version 1.13 or later.
• If immediate upgrade is not possible, backport the upstream fix from the vendor changelog into your packaged build.
• Inventory all applications and pipelines that accept or convert BMP files and verify whether they include Potrace or embed its parser.
• Treat BMP files from untrusted sources as high risk until patched.
• Track downstream distribution advisories and confirm patched package versions in your environment.

Evidence notes

The CVE description and NVD record identify a heap-based buffer overflow in bm_readbody_bmp within bitmap_io.c, affecting potrace before 1.13. The NVD CPE range marks versions through 1.12 as vulnerable. Supporting references in the source corpus include the Potrace changelog, oss-security mailing list posts from 2016, a Gentoo advisory/blog post, and a SecurityFocus entry. The CVE is distinct from CVE-2016-8698 through CVE-2016-8702.

Official resources