Bug 672908 (CVE-2018-19876)

Summary:	<x11-libs/cairo-1.16.0-r3: invalid free in cairo_ft_apply_variations
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	x11
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://seclists.org/oss-sec/2018/q4/205
Whiteboard:	B3 [glsa+ cve]
Package list:	x11-libs/cairo-1.16.0-r3	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	596756, 625636

Description D'juan McDonald (domhnall) 2018-12-10 23:44:49 UTC

cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c frees memory using the wrong free function, leading to memory corruption. Because cairo is used by WebKitGTK+, WPE WebKit, and the WinCairo port of WebKit, this issue can be triggered by web content.

reference: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5


@maintainer(s): Patch available, see reference. 


Gentoo Security Padawan
(domhnall)

Comment 1 Yury German Gentoo Infrastructure

2019-03-27 00:16:33 UTC

https://bugs.webkit.org/show_bug.cgi?id=191595

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-29 20:05:42 UTC

(In reply to Yury German from comment #1)
> https://bugs.webkit.org/show_bug.cgi?id=191595

Fix is in 1.17.2

git tag --contains 6edf572ebb27b00d3c371ba5ae267e39d27d5b6d

Comment 3 Larry the Git Cow gentoo-dev

2019-03-30 02:04:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e27a74b58384414d920401521f7460a240ea37a

commit 8e27a74b58384414d920401521f7460a240ea37a
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2019-03-30 02:00:30 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2019-03-30 02:03:47 +0000

    x11-libs/cairo: Pull in a few fixes from upstream
    
    Bug: https://bugs.gentoo.org/672908
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-libs/cairo/cairo-1.16.0-r3.ebuild              | 132 +++++++++++++++++++++
 ...one_MM_Var-instead-of-free-when-available.patch |  30 +++++
 .../files/cairo-1.16.0-pdf-add-missing-flush.patch |  29 +++++
 3 files changed, 191 insertions(+)

Comment 4 Matt Turner gentoo-dev

2019-03-30 02:05:55 UTC

Arches, please stabilize.

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2019-03-30 02:39:44 UTC

(In reply to Matt Turner from comment #4)
> Arches, please stabilize.

Thanks, Matt!

Comment 6 Agostino Sarubbo gentoo-dev

2019-03-30 10:47:02 UTC

amd64 stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2019-03-30 19:04:33 UTC

arm stable

Comment 8 Matt Turner gentoo-dev

2019-03-31 19:12:03 UTC

ppc/ppc64 stable

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-02 01:37:59 UTC

x86 stable

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2019-04-02 04:16:09 UTC

This issue was resolved and addressed in
 GLSA 201904-01 at https://security.gentoo.org/glsa/201904-01
by GLSA coordinator Aaron Bauman (b-man).

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2019-04-02 04:16:50 UTC

re-opened for final arches and clean-up

Comment 12 Rolf Eike Beer archtester

2019-04-06 10:24:41 UTC

sparc stable

Comment 13 Rolf Eike Beer archtester

2019-04-06 10:26:47 UTC

hppa too

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:43:31 UTC

ia64 stable

Comment 15 Mikle Kolyada (RETIRED) archtester

2019-04-07 21:50:16 UTC

s390 stable

Comment 16 Matt Turner gentoo-dev

2019-04-08 23:21:29 UTC

alpha stable

Comment 17 Aaron Bauman (RETIRED) gentoo-dev

2019-04-09 00:03:06 UTC

arm64 stable

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2019-04-09 01:48:00 UTC

tree is clean