Unpatched vulnerabilities in cairo

Hej,
cairo needs a security update: current version in unstable is 1.16.0-2, we need 1.16.0-3
references: GLSA, CVE-2017-9814, CVE-2016-9082

Also a question: Should I post these things in the future into Manjaro-specific packages which need an update?

1 Like

cairo is an Arch Linux package, so you should report it to the Arch package maintainer.

Only for Manjaro built packages, not Arch built packages.

1 Like

Just before going too far with this, are you sure Cairo 1.16.0 is vulnerable?

It's probably a good idea to check the patches from the cairo bugzilla and see if they have already landed in/before 1.16.0.

e.g. in Debian:

or is there a regression in 1.16.0?


@anon6847545 you might also be interested in this:

https://hackmd.io/e8Or7FJJR5ublC-w1FMfxQ?both#

CVE-2018-19876 is already patched in 1.16.0-2:

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/cairo&id=5de8bc8ca68ff9261ddfb0ab0adff2f4d76852e9

Separate threads here is fine. Much easier to track than one element of a mega-thread.

After reading your post, not sure.

No but according to one of the bug reports referenced in GLSA (same link as above) one of the vulnerabilities (CVE-2016-9082) was unpatched until 1.16.0. - but since we already got that, that's not an issue.
A second issue referenced in the glsa got also resolved.
Therefore the only thing that might be trouble would be mentioned in https://bugs.gentoo.org/672908 which is about an unpatched vulnerability in 1.16.0 which got patched in 1.17.2 which we don't have.
One reference to this is https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5.

But now this is over my head - so I honestly can't tell you if I cried wolf or this is serious. Maybe someone who understands this stuff better can take a look at this?

I'm definitely interested in this but I wonder what you want me to do with it - you being part of that list suggests you're already on top of things...
Or is that meant as another thing for me to check besides glsa, asa, bugzilla, etc.?
If so, thanks - if not, care to make it clearer to me?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by