CVE-2020-35492 (https://bugzilla.redhat.com/show_bug.cgi?id=1898396): A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability. Merged merge request: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/85
Package list is empty or all packages have requested keywords.
No vulnerable versions remaining in tree, see https://gitlab.freedesktop.org/cairo/cairo https://packages.gentoo.org/packages/x11-libs/cairo https://gitlab.freedesktop.org/cairo/cairo/-/issues/437. Versions prior to 1.17.4 are affected, only 1.16.0-r5 with the upstream fix remains in tree. I think RESOLVED FIXED would be appropriate here.
(In reply to 9ts641j2 from comment #7) > No vulnerable versions remaining in tree, see > https://gitlab.freedesktop.org/cairo/cairo > https://packages.gentoo.org/packages/x11-libs/cairo > https://gitlab.freedesktop.org/cairo/cairo/-/issues/437. > Versions prior to 1.17.4 are affected, only 1.16.0-r5 with the upstream fix > remains in tree. > I think RESOLVED FIXED would be appropriate here. Did it get patched by coincidence or did some bug get tagged?
It got patched by coincidence, I think. There was a new patch that solved this problem (https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/85).
(In reply to 9ts641j2 from comment #9) > It got patched by coincidence, I think. There was a new patch that solved > this problem > (https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/85). That merge request seems to be in 1.17.6, but not an in-tree version of cairo?
Right, sorry. My bad, should have checked the release tags and not relied on the CVE description. Should I bump the in-tree-version?
(In reply to 9ts641j2 from comment #11) > Right, sorry. My bad, should have checked the release tags and not relied on > the CVE description. Should I bump the in-tree-version? 1.17.x is unstable/dev. It follows odd/even.
Ok. Maybe add the version with the fix as unstable?
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a86d7fa81e5e287e69d380daddcef043a1261b6f commit a86d7fa81e5e287e69d380daddcef043a1261b6f Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-01-26 17:30:28 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-01-26 17:46:09 +0000 x11-libs/cairo: Drop old versions Bug: https://bugs.gentoo.org/777123 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-libs/cairo/Manifest | 1 - x11-libs/cairo/cairo-1.16.0-r6.ebuild | 134 --------------------- .../files/cairo-1.12.18-disable-test-suite.patch | 15 --- .../cairo/files/cairo-1.16.0-binutils-2.34.patch | 72 ----------- .../files/cairo-1.16.0-binutils-2.39-ptr.patch | 29 ----- ...one_MM_Var-instead-of-free-when-available.patch | 30 ----- .../files/cairo-1.16.0-pdf-add-missing-flush.patch | 29 ----- x11-libs/cairo/files/cairo-1.16.0-strings.patch | 39 ------ x11-libs/cairo/metadata.xml | 2 - 9 files changed, 351 deletions(-)
Thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0594bf267edfb23437629368af22c4e33f650fb commit e0594bf267edfb23437629368af22c4e33f650fb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 10:32:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:33:45 +0000 [ GLSA 202305-21 ] Cairo: Buffer Overflow Vulnerability Bug: https://bugs.gentoo.org/777123 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-21.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)