A new pixman release 0.42.2 is now available. This is a stable release in the 0.42 series.
This version contains a fix for a heap overflow. A CVE has been requested, and I'll reply to this email with the number when it is allocated. See https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395 and https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 for more information. Thanks to Maddie Stone and Google's Project Zero for discovering this issue, providing a proof-of-concept, and a great analysis. tar.gz: https://cairographics.org/releases/pixman-0.42.2.tar.gz https://www.x.org/releases/individual/lib/pixman-0.42.2.tar.gz tar.xz: https://www.x.org/releases/individual/lib/pixman-0.42.2.tar.xz Hashes: SHA256: ea1480efada2fd948bc75366f7c349e1c96d3297d09a3fe62626e38e234a625e pixman-0.42.2.tar.gz SHA256: 5747d2ec498ad0f1594878cc897ef5eb6c29e91c53b899f7f71b506785fc1376 pixman-0.42.2.tar.xz SHA512: 0a4e327aef89c25f8cb474fbd01de834fd2a1b13fdf7db11ab72072082e45881cd16060673b59d02054b1711ae69c6e2395f6ae9214225ee7153939efcd2fa5d pixman-0.42.2.tar.gz SHA512: 3476e2676e66756b1af61b1e532cd80c985c191fb7956eb01702b419726cce99e79163b7f287f74f66414680e7396d13c3fee525cd663f12b6ac4877070ff4e8 pixman-0.42.2.tar.xz GPG signature: https://cairographics.org/releases/pixman-0.42.2.tar.gz.sha512.asc (signed by [ultimate] Matt Turner <matts...@gmail.com> [ultimate] Matt Turner <matts...@gentoo.org> [ultimate] Matt Turner <matts...@freedesktop.org> [ultimate] Matt Turner <mstur...@google.com>) Git: https://gitlab.freedesktop.org/pixman/pixman.git tag: pixman-0.42.2 Log: Matt Turner (4): build: Add a64-neon-test.S to EXTRA_DIST Revert "Fix signed-unsigned semantics in reduce_32" Avoid integer overflow leading to out-of-bounds write Pre-release version bump to 0.42.2 Simon Ser (3): Post-release version bump to 0.42.1 meson: override pixman-1 dependency meson: explicitly set C standard to gnu99 Thomas Klausner (2): configure.ac: avoid unportable test(1) operator Makefile.am: increase shell portability
signature.asc
Description: PGP signature