Debian Bug report logs -
#978658
cairo: CVE-2020-35492
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#978658
; Package src:cairo
.
(Tue, 29 Dec 2020 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Tue, 29 Dec 2020 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cairo
Version: 1.16.0-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for cairo.
CVE-2020-35492[0]:
| cairo: libreoffice slideshow aborts with stack smashing in cairo's
| composite_boxes
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-35492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
[1] https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1898396
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#978658.
(Thu, 31 Dec 2020 21:33:06 GMT) (full text, mbox, link).
Message #8 received at 978658-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #978658 in cairo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/cairo/-/commit/2775f5891657fbe591388fabd018bef6a6845a25
------------------------------------------------------------------------
Add patches from upstream for CVE-2020-35492
Closes: #978658
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/978658
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 978658-submitter@bugs.debian.org
.
(Thu, 31 Dec 2020 21:33:06 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>
:
You have taken responsibility.
(Fri, 01 Jan 2021 20:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 01 Jan 2021 20:51:06 GMT) (full text, mbox, link).
Message #15 received at 978658-close@bugs.debian.org (full text, mbox, reply):
Source: cairo
Source-Version: 1.16.0-5
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
cairo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated cairo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 31 Dec 2020 21:39:40 +0000
Source: cairo
Architecture: source
Version: 1.16.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 946371 978658 978779
Changes:
cairo (1.16.0-5) unstable; urgency=medium
.
* Team upload
* d/patches: Add patches from upstream for CVE-2020-35492
(Closes: #978658)
* Build-Depend on gtk-doc-tools.
autoconf 2.70 automatically runs gtkdocize to update gtk-doc-related
files for packages that invoke the GTK_DOC_CHECK macro, causing FTBFS
with that version if gtk-doc-tools is not installed. (Closes: #978779)
* d/tests/build: Mark as superficial (see #904979)
* d/tests/build: Fix shellcheck warnings
* d/tests/build: Use correct compiler for proposed autopkgtest
cross-architecture testing support (Closes: #946371)
* d/shlibs.local: Generate lockstep dependencies between binary packages.
Upstream developers are not going to support mixing binary packages
of different versions from the same source package, and neither should
we; they all migrate to testing as a unit anyway.
* Add Build-Depends-Package to all symbols files
* Remove migration path from libcairo2-dbg older than Debian 9 'stretch'
* d/rules: Don't maintain shlibs version manually.
The symbols files make this unnecessary under most circumstances, and -V
(which is the default in debhelper compat level 12) generates a
dependency on at least the corresponding upstream version as a fallback.
* Move to debhelper-compat 12
- Drop -V from dh_makeshlibs (it is now the default)
* Set Rules-Requires-Root to no
* Wrap a long line in the 1.12.4-1 changelog entry (thanks, lintian-brush)
* d/patches: Move patches from upstream to beginning of series, and add
metadata
* Add Lintian override for documentation in /usr/share/gtk-doc/html.
See #970275 for details of why this is correct.
* libcairo-gobject2: Add override for library-not-linked-against-libc.
This library uses functions from Cairo, GLib and GObject, and does not
directly depend on glibc.
* Register with doc-base using a symlink in /usr/share/doc.
This silences a Lintian warning, and makes the documentation a bit more
discoverable.
* Standards-Version: 4.5.1 (no changes required)
Checksums-Sha1:
47f6592b8d0ffef78edb1465a6508c8cf410c328 2939 cairo_1.16.0-5.dsc
453294cb4450eb031c7eb766cf165b7f5f2f331c 33144 cairo_1.16.0-5.debian.tar.xz
c7f588a84c916e2b399360c0995ed19f213f36f4 8354 cairo_1.16.0-5_source.buildinfo
Checksums-Sha256:
1bcd6dbe5544ad02170d18226ba544b96e2a48bd239407c4ee40c5eb9a441a06 2939 cairo_1.16.0-5.dsc
544726514b4b8cfdd151941714c2f910f995ddd4562e6de464c9487e9331fe9f 33144 cairo_1.16.0-5.debian.tar.xz
cbb8fe4ebea838a59d969f2be35bae3d6ee9abf159cd17340fd9a23828ff9733 8354 cairo_1.16.0-5_source.buildinfo
Files:
f450d70156c5ba4441d724d5573b047d 2939 libs optional cairo_1.16.0-5.dsc
13c58cb2e36caeafab899283180bd07f 33144 libs optional cairo_1.16.0-5.debian.tar.xz
068b7491635508f93f751433a2824278 8354 libs optional cairo_1.16.0-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl/vhhYACgkQ4FrhR4+B
TE9P0BAAl3JRJfxMKzp1Z7ZPhzl5kzK9csE91NLyaNVbmigMP+rzK1KezmG1JdTe
5RkPc7/hIebkWGKfhy9387V1YQXlYuB3D5tELOOlpR/UMJVaQpB5SoEI1aj/h5A8
1Da7DPRkkEDe6U9oQscgHwSoV3DsITN2axHLOE+33UyYYr/26rpuriv8icDzHZ2T
5wDSmaoGFdJbAWqxfB6ZW0iC9gjExVY0fZ2pIgWOVVlueD3KUFzIAKxgJVwwGLAI
thpEfcfaFsHxiHzz3jB0OiZAjkgKTiPTrHeacTfQJjIob4/fwpt+Yf2OhdUF7yGM
9xH1DdrQwqKsd4WXy0XYjdc3WtcSbRimG9cQ07pqm1HtFQrh5YBb+S91NZZcgdGV
bVq3bgrdW9rDcMRgkPB5t/dAZvZUn48wwcrnvx9xkRAGCujfMCCY3r+3yEEy42tY
o/7GGByRvqYPCYyTkZVkCzWuzYSTzmChyWYYS7A4qq86ZB+jhScry9stJnzWqJfn
JpDNzPDYNf3TpzPEiCclXNYTEkOyB16XQ2hqDHHGleEmV/3p307yqRpALdk41vrf
M7bCFT4gJwUOrbS19Jdm30OTFEoMhzZn6lxyrLigqEPghvGx/QDxkKtztLN5cTO6
ngAQnQM5aoSKAimZCnO7HHG8AWn7Z+0q8UqOTPELSM5goh/eZBo=
=fNEI
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 13:02:11 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.