[Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs

[Quentin Schulz]

This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
slightly modified compared to upstream (namely removing tests since it includes
a png file which `patch` does not know how to handle when applying the patch).

There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
(not even an attempt),
c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.

Yocto does have a patch for it though:
https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
(don't mind the wrong CVE name, I'll send a patch fixing it soon).

But I'm not entirely convinced it's a proper fix? So i'll leave it up for
discussion.

Cheers,
Quentin

Signed-off-by: Quentin Schulz <quentin.schulz at theobroma-systems.com>

---
Quentin Schulz (2):
      package/cairo: fix CVE-2019-6462
      package/cairo: fix CVE-2020-35492

 ...gle_for_tolerance_normalized-fix-infinite.patch | 39 +++++++++++++++
 .../0004-Fix-mask-usage-in-image-compositor.patch  | 56 ++++++++++++++++++++++
 package/cairo/cairo.mk                             |  4 ++
 3 files changed, 99 insertions(+)
---
base-commit: d3d1d5a2dab19a954915c807e90ac74708b7e9ce
change-id: 20221213-cairo-cves-b0285617c92f

Best regards,
-- 
Quentin Schulz <quentin.schulz at theobroma-systems.com>