Public bug reported: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update.
Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on xenial and yakkety only. I did not test on trusty. ** Affects: cairo (Ubuntu) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs