=========================================================== Ubuntu Security Notice USN-265-1 March 23, 2006 libcairo vulnerability CVE-2006-0528 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 (Breezy Badger) The following packages are affected: libcairo2 The problem can be corrected by upgrading the affected package to version 1.0.2-0ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: When rendering glyphs, the cairo graphics rendering library did not check the maximum length of character strings. A request to display an excessively long string with cairo caused a program crash due to an X library error. Mike Davis discovered that this could be turned into a Denial of Service attack in Evolution. An email with an attachment with very long lines caused Evolution to crash repeatedly until that email was manually removed from the mail folder. This only affects Ubuntu 5.10. Previous Ubuntu releases did not use libcairo for text rendering.
this seems to be http://bugzilla.gnome.org/show_bug.cgi?id=328937 and it appears to crash gedit too Changelog entry taken from ubuntu diff: + * SECURITY UPDATE: Fix crash with applications that render untrusted text + with cairo. + * Add debian/patches/01_break_up_glyph_rendering.patch: + - _cairo_xlib_surface_show_glyphs(): Break up rendering into chunks to fit + into X max request length protocol limits. + - This fixes crashes in e. g. Evolution with inline attachments with + overly long lines. + - Patch backported from upstream git + http://gitweb.freedesktop.org/?p=cairo;a=commit;h=3370cd631858cac0fd3ce3 3c74db3af40991e6f1 + * CVE-2006-0528 -- this is at max a very minor security issue anyways, CC'ing maintainers not setting status yet
Ccing gnome herd as cardoe doesn't answer. Please patch or advise.
gnome is in metadata, should've been added when this got opened. Cairo-1.0.4 contains the fix for this and since it is mainly a bugfix release and there have been no problems reported so far, I think we can stabilize it if needed.
We usually call the maintainer before calling the herd, but here I'd say herd calling was a little overdue. Thanks for the advice, let's try to stableize this one. Arches, please test and mark stable if OK for you.
(In reply to comment #4) > Arches, please test and mark stable if OK for you. 9 of 61 tests failed on alpha... make check-TESTS make[2]: Entering directory `/var/tmp/portage/cairo-1.0.4/work/cairo-1.0.4/test' a8-mask is expected to fail: image backend fails because libpixman only handles (stride % sizeof(pixman_bits) == 0) a8-mask-image: XFAIL a8-mask-xlib: UNTESTED XFAIL: a8-mask caps-joins-image: PASS caps-joins-xlib: UNTESTED PASS: caps-joins caps-sub-paths-image: PASS caps-sub-paths-xlib: UNTESTED PASS: caps-sub-paths clip-all-image: PASS clip-all-xlib: UNTESTED PASS: clip-all clip-nesting-image: PASS clip-nesting-xlib: UNTESTED PASS: clip-nesting clip-operator-image: FAIL clip-operator-xlib: UNTESTED FAIL: clip-operator clip-twice-image: PASS clip-twice-xlib: UNTESTED PASS: clip-twice composite-integer-translate-source-image: PASS composite-integer-translate-source-xlib: UNTESTED PASS: composite-integer-translate-source composite-integer-translate-over-image: PASS composite-integer-translate-over-xlib: UNTESTED PASS: composite-integer-translate-over composite-integer-translate-over-repeat-image: PASS composite-integer-translate-over-repeat-xlib: UNTESTED PASS: composite-integer-translate-over-repeat create-from-png-image: PASS create-from-png-xlib: UNTESTED PASS: create-from-png create-from-png-stream-image: PASS create-from-png-stream-xlib: UNTESTED PASS: create-from-png-stream dash-caps-joins-image: PASS dash-caps-joins-xlib: UNTESTED PASS: dash-caps-joins dash-offset-negative-image: PASS dash-offset-negative-xlib: UNTESTED PASS: dash-offset-negative fill-and-stroke-image: PASS fill-and-stroke-xlib: UNTESTED PASS: fill-and-stroke fill-rule-image: PASS fill-rule-xlib: UNTESTED PASS: fill-rule filter-nearest-offset is expected to fail: wrong sampling location for nearest-neighbor filter in libpixman and Render filter-nearest-offset-image: XFAIL filter-nearest-offset-xlib: UNTESTED XFAIL: filter-nearest-offset get-and-set-image: PASS get-and-set-xlib: UNTESTED PASS: get-and-set gradient-alpha-image: PASS gradient-alpha-xlib: UNTESTED PASS: gradient-alpha leaky-polygon-image: PASS leaky-polygon-xlib: UNTESTED PASS: leaky-polygon line-width-image: PASS line-width-xlib: UNTESTED PASS: line-width linear-gradient-image: PASS linear-gradient-xlib: UNTESTED PASS: linear-gradient mask-image: PASS mask-xlib: UNTESTED PASS: mask mask-ctm-image: PASS mask-ctm-xlib: UNTESTED PASS: mask-ctm mask-surface-ctm-image: PASS mask-surface-ctm-xlib: UNTESTED PASS: mask-surface-ctm move-to-show-surface-image: PASS move-to-show-surface-xlib: UNTESTED PASS: move-to-show-surface nil-surface-image: PASS nil-surface-xlib: UNTESTED PASS: nil-surface operator-clear-image: FAIL operator-clear-xlib: UNTESTED FAIL: operator-clear operator-source-image: FAIL operator-source-xlib: UNTESTED FAIL: operator-source paint-image: PASS paint-xlib: UNTESTED PASS: paint paint-with-alpha-image: PASS paint-with-alpha-xlib: UNTESTED PASS: paint-with-alpha path-data-image: PASS path-data-xlib: UNTESTED PASS: path-data pixman-rotate is expected to fail: known off-by-one bug when rotating a pixman image pixman-rotate-image: XFAIL pixman-rotate-xlib: UNTESTED XFAIL: pixman-rotate rectangle-rounding-error-image: PASS rectangle-rounding-error-xlib: UNTESTED PASS: rectangle-rounding-error scale-source-surface-paint-image: PASS scale-source-surface-paint-xlib: UNTESTED PASS: scale-source-surface-paint select-font-no-show-text-image: PASS select-font-no-show-text-xlib: UNTESTED PASS: select-font-no-show-text self-copy-image: PASS self-copy-xlib: UNTESTED PASS: self-copy self-intersecting is expected to fail: Self-intersecting strokes are wrong due to incremental trapezoidization. self-intersecting-image: XFAIL self-intersecting-xlib: UNTESTED XFAIL: self-intersecting set-source-image: PASS set-source-xlib: UNTESTED PASS: set-source show-glyphs-many-image: PASS show-glyphs-many-xlib: UNTESTED PASS: show-glyphs-many show-text-current-point-image: FAIL show-text-current-point-xlib: UNTESTED FAIL: show-text-current-point source-clip-image: PASS source-clip-xlib: UNTESTED PASS: source-clip source-surface-scale-paint-image: PASS source-surface-scale-paint-xlib: UNTESTED PASS: source-surface-scale-paint surface-finish-twice-image: PASS surface-finish-twice-xlib: UNTESTED PASS: surface-finish-twice surface-pattern-image: PASS surface-pattern-xlib: UNTESTED PASS: surface-pattern text-antialias-gray-image: FAIL text-antialias-gray-xlib: UNTESTED FAIL: text-antialias-gray text-antialias-none-image: FAIL text-antialias-none-xlib: UNTESTED FAIL: text-antialias-none text-antialias-subpixel-image: FAIL text-antialias-subpixel-xlib: UNTESTED FAIL: text-antialias-subpixel text-cache-crash-image: PASS text-cache-crash-xlib: UNTESTED PASS: text-cache-crash text-pattern-image: FAIL text-pattern-xlib: UNTESTED FAIL: text-pattern text-rotate is expected to fail: minor bugs in positioning rotated glyphs text-rotate-image: XFAIL text-rotate-xlib: UNTESTED XFAIL: text-rotate transforms-image: PASS transforms-xlib: UNTESTED PASS: transforms translate-show-surface-image: PASS translate-show-surface-xlib: UNTESTED PASS: translate-show-surface trap-clip-image: PASS trap-clip-xlib: UNTESTED PASS: trap-clip unantialiased-shapes-image: PASS unantialiased-shapes-xlib: UNTESTED PASS: unantialiased-shapes unbounded-operator-image: FAIL unbounded-operator-xlib: UNTESTED FAIL: unbounded-operator PASS: user-data rel-path-image: PASS rel-path-xlib: UNTESTED PASS: rel-path PASS: pthread-show-text ft-font-create-for-ft-face-image: PASS ft-font-create-for-ft-face-xlib: UNTESTED PASS: ft-font-create-for-ft-face PASS: xlib-surface ======================================================================== 9 of 61 tests failed Please report to http://bugs.freedesktop.org/enter_bug.cgi?product=cairo ======================================================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/var/tmp/portage/cairo-1.0.4/work/cairo-1.0.4/test' make[1]: *** [check-am] Error 2 make[1]: Leaving directory `/var/tmp/portage/cairo-1.0.4/work/cairo-1.0.4/test' make: *** [check-recursive] Error 1
ppc stable
tcort, the question is if those tests pass with 1.0.2 .
I'm just testing x11-libs/cairo-1.0.4 against x86. I'm a gnome user - thus lot's of programs link against cairo while i'm writing this. As far as i can tell (i'm now using the new cairo library for about 40min) everthing seems to work fine. Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig colission-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.inode.at/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
(In reply to comment #7) > tcort, the question is if those tests pass with 1.0.2 . > Yes
(In reply to comment #9) > (In reply to comment #7) > > tcort, the question is if those tests pass with 1.0.2 . The same 9 tests fail in 1.0.2 for me. ferdy tested 1.0.4 with no unexpected failures. My cairo apps (gnome-panel, mozilla-firefox, etc) are working fine with 1.0.4. stable on alpha.
amd64ized
stable on ppc64
x86 in da house!
sparc stable.
hppa done
Ready for GLSA vote, I tend to vote no...
also tending to vote no
Voting NO and closing. Feel free to reopen if you disagree.