[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,
I'd like to update cairo for the next jessie point update for
CVE-2016-3190.

I've been using the updated package for a day on my jessie workstation.

Cheers,
        Moritz

debdiff:

diff -Nru cairo-1.14.0/debian/changelog cairo-1.14.0/debian/changelog
--- cairo-1.14.0/debian/changelog	2014-10-24 21:38:48.000000000 +0200
+++ cairo-1.14.0/debian/changelog	2016-03-19 22:38:11.000000000 +0100
@@ -1,3 +1,9 @@
+cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2016-3190
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sat, 19 Mar 2016 22:37:18 +0100
+
 cairo (1.14.0-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch
--- cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch	1970-01-01 01:00:00.000000000 +0100
+++ cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch	2016-03-19 22:35:25.000000000 +0100
@@ -0,0 +1,32 @@
+From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001
+From: Bryce Harrington <bryce@osg.samsung.com>
+Date: Wed, 3 Dec 2014 19:28:15 -0800
+Subject: image: Fix crash in _fill_xrgb32_lerp_opaque_spans
+
+If a span length is negative don't go out of bounds processing the fill
+data.
+
+Patch thanks to Ilya Sakhnenko <ilia.softway@gmail.com> on mailing list.
+
+Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 6ff0f09..48072f8 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
+ 				     spans[0].x, y, len, 1, r->u.fill.pixel);
+ 		    } else {
+ 			uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4);
+-			while (len--)
++			while (len-- > 0)
+ 			    *d++ = r->u.fill.pixel;
+ 		    }
+-		} else while (len--) {
++		} else while (len-- > 0) {
+ 		    *d = lerp8x4 (r->u.fill.pixel, a, *d);
+ 		    d++;
+ 		}
+-- 
+cgit v0.10.2
+
diff -Nru cairo-1.14.0/debian/patches/series cairo-1.14.0/debian/patches/series
--- cairo-1.14.0/debian/patches/series	2014-10-24 21:36:09.000000000 +0200
+++ cairo-1.14.0/debian/patches/series	2016-03-19 22:36:20.000000000 +0100
@@ -4,3 +4,4 @@
 06_hurd-map-noreserve.patch
 0005-CFF-Fix-unaligned-access.patch
 0008-tor-scan-converter-can-t-do_fullrow-when-intersectio.patch
+0009-CVE-2016-3190.patch
Reply to: