From bc16eacc99e801ac30cbe2aa649a2be3ca5c102a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 12 Mar 2021 05:24:36 -0500 Subject: gnu: cairo: Fix CVE-2018-19876 and CVE-2020-35492. * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gtk.scm (cairo)[replacement]: New field. (cairo/fixed): New variable. (cairo-xcb): Use package/inherit. --- gnu/local.mk | 2 + gnu/packages/gtk.scm | 13 ++++++- gnu/packages/patches/cairo-CVE-2018-19876.patch | 37 +++++++++++++++++++ gnu/packages/patches/cairo-CVE-2020-35492.patch | 49 +++++++++++++++++++++++++ 4 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch create mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch diff --git a/gnu/local.mk b/gnu/local.mk index c0020fad41..fd070d6791 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -871,6 +871,8 @@ dist_patch_DATA = \ %D%/packages/patches/blender-2.79-python-3.8-fix.patch \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2018-19876.patch \ + %D%/packages/patches/cairo-CVE-2020-35492.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-sqlite.patch \ %D%/packages/patches/calibre-remove-test-unrar.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index ee2c91264f..9fc4967181 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -124,6 +124,7 @@ tools have full access to view and control running applications.") (package (name "cairo") (version "1.16.0") + (replacement cairo/fixed) (source (origin (method url-fetch) (uri (string-append "https://cairographics.org/releases/cairo-" @@ -174,6 +175,15 @@ affine transformation (scale, rotation, shear, etc.).") (license license:lgpl2.1) ; or Mozilla Public License 1.1 (home-page "https://cairographics.org/"))) +(define cairo/fixed + (package + (inherit cairo) + (source (origin + (inherit (package-source cairo)) + (patches (append (search-patches "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch") + (origin-patches (package-source cairo)))))))) + (define-public cairo-sans-poppler ;; Variant used to break the dependency cycle between Poppler and Cairo. (package/inherit cairo @@ -181,8 +191,7 @@ affine transformation (scale, rotation, shear, etc.).") (properties `((hidden? . #t))))) (define-public cairo-xcb - (package - (inherit cairo) + (package/inherit cairo (name "cairo-xcb") (inputs `(("mesa" ,mesa) diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch new file mode 100644 index 0000000000..c0fba2ecaa --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2018-19876.patch @@ -0,0 +1,37 @@ +Copied from Debian. + +From: Carlos Garcia Campos +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 + +[This is considered to be security-sensitive because WebKitGTK+ sets its +own memory allocator, which is not compatible with system free(), making +this a remotely triggerable denial of service or memory corruption.] + +Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 +Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 +Bug-Debian: https://bugs.debian.org/916389 +Bug-CVE: CVE-2018-19876 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61..981973f 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch new file mode 100644 index 0000000000..e8b90fa5c5 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2020-35492.patch @@ -0,0 +1,49 @@ +Copied from Debian. + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c | 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c ++++ cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; -- cgit v1.2.3