Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi src:cairo in jessie is affected by CVE-2016-9082 which would not warrant a DSA. A while back in october the issue was already fixed in unstable, cf. #842289. I would like to propose the attached debdiff for the upcoming point release. Note: in the 1.14.0-2.1 -> 1.14.0-2.1+deb8u1 the binary package binary-cairo-perf-utils got one more binary added (/usr/bin/cairo-perf-graph-files). Whit this update that goes back to the 1.14.0-2.1 situation. Regards, Salvatore
diff -Nru cairo-1.14.0/debian/changelog cairo-1.14.0/debian/changelog --- cairo-1.14.0/debian/changelog 2016-03-19 22:38:11.000000000 +0100 +++ cairo-1.14.0/debian/changelog 2016-12-30 07:30:39.000000000 +0100 @@ -1,3 +1,12 @@ +cairo (1.14.0-2.1+deb8u2) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2016-9082: DoS attack based on using SVG to generate invalid pointers + from a _cairo_image_surface in write_png. + (Closes: #842289) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 30 Dec 2016 07:30:39 +0100 + cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium * Fix CVE-2016-3190 diff -Nru cairo-1.14.0/debian/patches/CVE-2016-9082.patch cairo-1.14.0/debian/patches/CVE-2016-9082.patch --- cairo-1.14.0/debian/patches/CVE-2016-9082.patch 1970-01-01 01:00:00.000000000 +0100 +++ cairo-1.14.0/debian/patches/CVE-2016-9082.patch 2016-12-30 07:30:39.000000000 +0100 @@ -0,0 +1,107 @@ +From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001 +From: Adrian Johnson <ajohn...@redneon.com> +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +https://bugs.freedesktop.org/show_bug.cgi?id=98165 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" + ++#include <stddef.h> + #include <stdlib.h> + #include <ctype.h> + #include <assert.h> +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image = NULL; +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_rendere + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_rendere + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { + + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; + + unsigned owns_data : 1; +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int wid + tg += tg >> 16; + tb += tb >> 16; + +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -671,7 +671,7 @@ read_png (struct png_read_closure_t *png + } + + for (i = 0; i < png_height; i++) +- row_pointers[i] = &data[i * stride]; ++ row_pointers[i] = &data[i * (ptrdiff_t)stride]; + + png_read_image (png, row_pointers); + png_read_end (png, info); +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1201,7 +1201,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; diff -Nru cairo-1.14.0/debian/patches/series cairo-1.14.0/debian/patches/series --- cairo-1.14.0/debian/patches/series 2016-03-19 22:36:20.000000000 +0100 +++ cairo-1.14.0/debian/patches/series 2016-12-30 07:30:39.000000000 +0100 @@ -5,3 +5,4 @@ 0005-CFF-Fix-unaligned-access.patch 0008-tor-scan-converter-can-t-do_fullrow-when-intersectio.patch 0009-CVE-2016-3190.patch +CVE-2016-9082.patch
