Login Sign Up

CVE-2019-19005

7.8 HIGH
Denial of Service

📋 TL;DR

CVE-2019-19005 is a double-free vulnerability in autotrace 0.31.1 that allows attackers to cause memory corruption by processing a malformed bitmap image. This can lead to denial of service or potentially arbitrary code execution. Anyone using autotrace to process untrusted bitmap images is affected.

💻 Affected Systems

Products:
  • autotrace
Versions: 0.31.1 and earlier versions
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing malformed bitmap images. This is related to CVE-2017-9182 use-after-free issue.

📦 What is this software?

Autotrace by Autotrace Project

View all CVEs affecting Autotrace →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if autotrace processes attacker-controlled images.

🟠

Likely Case

Application crash and denial of service when processing malicious bitmap files.

🟢

If Mitigated

No impact if autotrace is not used or only processes trusted images.

🌐 Internet-Facing: MEDIUM - Risk exists if autotrace processes user-uploaded images via web applications.
🏢 Internal Only: LOW - Risk limited to systems where autotrace processes untrusted bitmap files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a specific malformed bitmap image. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 9b438c6 (master branch)

Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC6MUH2RLVEA634LHBNZ2KO7MQKI2RDZ/

Restart Required: No

Instructions:

1. Update autotrace to latest version from master branch. 2. Rebuild from source or use updated package from distribution repositories. 3. Replace existing autotrace binary with patched version.

🔧 Temporary Workarounds

Disable bitmap processing

all

Configure applications to reject or not process bitmap images through autotrace.

Input validation

all

Implement strict validation of bitmap files before passing to autotrace.

🧯 If You Can't Patch

  • Isolate autotrace usage to trusted environments only
  • Implement network segmentation to limit exposure of systems using autotrace

🔍 How to Verify

Check if Vulnerable:

Check autotrace version: autotrace --version. If version is 0.31.1 or earlier, system is vulnerable.

Check Version:

autotrace --version 2>/dev/null || echo 'autotrace not installed'

Verify Fix Applied:

Verify autotrace version is newer than 0.31.1 or includes commit 9b438c6 from master branch.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults when processing bitmap files
  • Memory corruption errors in system logs

Network Indicators:

  • Unusual bitmap file uploads to systems using autotrace

SIEM Query:

Process:autotrace AND (EventID:1000 OR Signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2019-19005
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: February 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19005, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)