[Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs
Quentin Schulz
foss+buildroot at 0leil.net
Wed Dec 14 11:16:00 UTC 2022
This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
slightly modified compared to upstream (namely removing tests since it includes
a png file which `patch` does not know how to handle when applying the patch).
There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
(not even an attempt),
c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.
Yocto does have a patch for it though:
https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
(don't mind the wrong CVE name, I'll send a patch fixing it soon).
But I'm not entirely convinced it's a proper fix? So i'll leave it up for
discussion.
Cheers,
Quentin
Signed-off-by: Quentin Schulz <quentin.schulz at theobroma-systems.com>
---
Quentin Schulz (2):
package/cairo: fix CVE-2019-6462
package/cairo: fix CVE-2020-35492
...gle_for_tolerance_normalized-fix-infinite.patch | 39 +++++++++++++++
.../0004-Fix-mask-usage-in-image-compositor.patch | 56 ++++++++++++++++++++++
package/cairo/cairo.mk | 4 ++
3 files changed, 99 insertions(+)
---
base-commit: d3d1d5a2dab19a954915c807e90ac74708b7e9ce
change-id: 20221213-cairo-cves-b0285617c92f
Best regards,
--
Quentin Schulz <quentin.schulz at theobroma-systems.com>
More information about the buildroot
mailing list