cairo: CVE-2020-35492

Debian Bug report logs - #978658
cairo: CVE-2020-35492

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cairo: CVE-2020-35492

Date: Tue, 29 Dec 2020 21:13:42 +0100

Source: cairo
Version: 1.16.0-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cairo.

CVE-2020-35492[0]:
| cairo: libreoffice slideshow aborts with stack smashing in cairo's
| composite_boxes

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35492
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
[1] https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1898396

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 978658-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>

To: 978658-submitter@bugs.debian.org

Subject: Bug#978658 marked as pending in cairo

Date: Thu, 31 Dec 2020 21:32:08 +0000

Control: tag -1 pending

Hello,

Bug #978658 in cairo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/gnome-team/cairo/-/commit/2775f5891657fbe591388fabd018bef6a6845a25

------------------------------------------------------------------------
Add patches from upstream for CVE-2020-35492

Closes: #978658
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/978658

Message #15 received at 978658-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 978658-close@bugs.debian.org

Subject: Bug#978658: fixed in cairo 1.16.0-5

Date: Fri, 01 Jan 2021 20:48:27 +0000

Source: cairo
Source-Version: 1.16.0-5
Done: Simon McVittie <smcv@debian.org>

We believe that the bug you reported is fixed in the latest version of
cairo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated cairo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 31 Dec 2020 21:39:40 +0000
Source: cairo
Architecture: source
Version: 1.16.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 946371 978658 978779
Changes:
 cairo (1.16.0-5) unstable; urgency=medium
 .
   * Team upload
   * d/patches: Add patches from upstream for CVE-2020-35492
     (Closes: #978658)
   * Build-Depend on gtk-doc-tools.
     autoconf 2.70 automatically runs gtkdocize to update gtk-doc-related
     files for packages that invoke the GTK_DOC_CHECK macro, causing FTBFS
     with that version if gtk-doc-tools is not installed. (Closes: #978779)
   * d/tests/build: Mark as superficial (see #904979)
   * d/tests/build: Fix shellcheck warnings
   * d/tests/build: Use correct compiler for proposed autopkgtest
     cross-architecture testing support (Closes: #946371)
   * d/shlibs.local: Generate lockstep dependencies between binary packages.
     Upstream developers are not going to support mixing binary packages
     of different versions from the same source package, and neither should
     we; they all migrate to testing as a unit anyway.
   * Add Build-Depends-Package to all symbols files
   * Remove migration path from libcairo2-dbg older than Debian 9 'stretch'
   * d/rules: Don't maintain shlibs version manually.
     The symbols files make this unnecessary under most circumstances, and -V
     (which is the default in debhelper compat level 12) generates a
     dependency on at least the corresponding upstream version as a fallback.
   * Move to debhelper-compat 12
     - Drop -V from dh_makeshlibs (it is now the default)
   * Set Rules-Requires-Root to no
   * Wrap a long line in the 1.12.4-1 changelog entry (thanks, lintian-brush)
   * d/patches: Move patches from upstream to beginning of series, and add
     metadata
   * Add Lintian override for documentation in /usr/share/gtk-doc/html.
     See #970275 for details of why this is correct.
   * libcairo-gobject2: Add override for library-not-linked-against-libc.
     This library uses functions from Cairo, GLib and GObject, and does not
     directly depend on glibc.
   * Register with doc-base using a symlink in /usr/share/doc.
     This silences a Lintian warning, and makes the documentation a bit more
     discoverable.
   * Standards-Version: 4.5.1 (no changes required)
Checksums-Sha1:
 47f6592b8d0ffef78edb1465a6508c8cf410c328 2939 cairo_1.16.0-5.dsc
 453294cb4450eb031c7eb766cf165b7f5f2f331c 33144 cairo_1.16.0-5.debian.tar.xz
 c7f588a84c916e2b399360c0995ed19f213f36f4 8354 cairo_1.16.0-5_source.buildinfo
Checksums-Sha256:
 1bcd6dbe5544ad02170d18226ba544b96e2a48bd239407c4ee40c5eb9a441a06 2939 cairo_1.16.0-5.dsc
 544726514b4b8cfdd151941714c2f910f995ddd4562e6de464c9487e9331fe9f 33144 cairo_1.16.0-5.debian.tar.xz
 cbb8fe4ebea838a59d969f2be35bae3d6ee9abf159cd17340fd9a23828ff9733 8354 cairo_1.16.0-5_source.buildinfo
Files:
 f450d70156c5ba4441d724d5573b047d 2939 libs optional cairo_1.16.0-5.dsc
 13c58cb2e36caeafab899283180bd07f 33144 libs optional cairo_1.16.0-5.debian.tar.xz
 068b7491635508f93f751433a2824278 8354 libs optional cairo_1.16.0-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl/vhhYACgkQ4FrhR4+B
TE9P0BAAl3JRJfxMKzp1Z7ZPhzl5kzK9csE91NLyaNVbmigMP+rzK1KezmG1JdTe
5RkPc7/hIebkWGKfhy9387V1YQXlYuB3D5tELOOlpR/UMJVaQpB5SoEI1aj/h5A8
1Da7DPRkkEDe6U9oQscgHwSoV3DsITN2axHLOE+33UyYYr/26rpuriv8icDzHZ2T
5wDSmaoGFdJbAWqxfB6ZW0iC9gjExVY0fZ2pIgWOVVlueD3KUFzIAKxgJVwwGLAI
thpEfcfaFsHxiHzz3jB0OiZAjkgKTiPTrHeacTfQJjIob4/fwpt+Yf2OhdUF7yGM
9xH1DdrQwqKsd4WXy0XYjdc3WtcSbRimG9cQ07pqm1HtFQrh5YBb+S91NZZcgdGV
bVq3bgrdW9rDcMRgkPB5t/dAZvZUn48wwcrnvx9xkRAGCujfMCCY3r+3yEEy42tY
o/7GGByRvqYPCYyTkZVkCzWuzYSTzmChyWYYS7A4qq86ZB+jhScry9stJnzWqJfn
JpDNzPDYNf3TpzPEiCclXNYTEkOyB16XQ2hqDHHGleEmV/3p307yqRpALdk41vrf
M7bCFT4gJwUOrbS19Jdm30OTFEoMhzZn6lxyrLigqEPghvGx/QDxkKtztLN5cTO6
ngAQnQM5aoSKAimZCnO7HHG8AWn7Z+0q8UqOTPELSM5goh/eZBo=
=fNEI
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.