diff options
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/gtk.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/cairo-CVE-2018-19876.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/cairo-CVE-2020-35492.patch | 49 |
4 files changed, 92 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 7a700c3296..71e9719f54 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -896,6 +896,8 @@ dist_patch_DATA = \ %D%/packages/patches/blender-2.79-python-3.8-fix.patch \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2018-19876.patch \ + %D%/packages/patches/cairo-CVE-2020-35492.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-sqlite.patch \ %D%/packages/patches/calibre-remove-test-unrar.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 173d568bee..43e1174c7c 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -145,7 +145,10 @@ tools have full access to view and control running applications.") (string-append "https://cairographics.org/releases/cairo-" version ".tar.xz")) (sha256 - (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) + (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")) + (patches (search-patches + "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch")))) (build-system glib-or-gtk-build-system) (outputs '("out" "doc")) (arguments diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch new file mode 100644 index 0000000000..c0fba2ecaa --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2018-19876.patch @@ -0,0 +1,37 @@ +Copied from Debian. + +From: Carlos Garcia Campos <cgarcia@igalia.com> +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 + +[This is considered to be security-sensitive because WebKitGTK+ sets its +own memory allocator, which is not compatible with system free(), making +this a remotely triggerable denial of service or memory corruption.] + +Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 +Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 +Bug-Debian: https://bugs.debian.org/916389 +Bug-CVE: CVE-2018-19876 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61..981973f 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch new file mode 100644 index 0000000000..e8b90fa5c5 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2020-35492.patch @@ -0,0 +1,49 @@ +Copied from Debian. + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c | 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c ++++ cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; |