Bug 28084

Summary: cairo new security issue CVE-2020-35492
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: cairo-1.16.0-2.1.mga7.src.rpm CVE: CVE-2020-35492
Status comment:

Description David Walser 2021-01-13 18:57:47 CET 
Debian-LTS has issued an advisory on January 6:
https://www.debian.org/lts/security/2021/dla-2518

Mageia 7 is also affected.
David Walser 2021-01-13 18:58:03 CET

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-13 19:22:18 CET 
Fix pushed in mageia cauldron.

CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Nicolas Lécureuil 2021-01-13 19:27:47 CET 
Fix pushed in mga7

src:
    cairo-1.16.0-2.2.mga7

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2021-01-13 19:45:59 CET 
Advisory:
========================

Updated cairo packages fix security vulnerability:

LibreOffice slideshow aborts with stack smashing in cairo’s composite_boxes
(CVE-2020-35492).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
https://www.debian.org/lts/security/2021/dla-2518
========================

Updated packages in core/updates_testing:
========================
libcairo2-1.16.0-2.2.mga7
libcairo-devel-1.16.0-2.2.mga7
libcairo-static-devel-1.16.0-2.2.mga7

from cairo-1.16.0-2.2.mga7.src.rpm

Status comment: Patches available from upstream => (none)

Comment 4 Thomas Andrews 2021-01-14 00:00:08 CET 
Created a short slide show in Libreoffice Impress with 12 slides. Used the slideshow function, but did not visibly trigger any problems. 

Updated lib64cairo2. No installation issues. Ran the slide show again, with no issues noted.

urpmq --whatrequires lib64cairo2 reveals a very long list. The Gimp is on it, as is Firefox, and cairo-dock.

Ran The Gimp with a complex image consisting of over 70 layers of graphics and text, with no issues. Cairo-dock was already installed on one test machine during a previous test of it, and there were no regressions with any of the 2D rendering. Firefox is being used to make this report, with no regressions noted.

I'm going to call this OK, and validate. Advisory in Comment 3.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Aurelien Oudelet 2021-01-14 14:43:09 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2020-35492
CC: (none) => ouaurelien
Source RPM: cairo-1.16.0-5.mga8.src.rpm => cairo-1.16.0-2.1.mga7.src.rpm
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-14 16:15:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0028.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED