Bug 29582

Summary: cairo new security issue CVE-2019-6462
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: cairo-1.16.0-6.mga8.src.rpm CVE: CVE-2019-6462
Status comment:

Description David Walser 2021-10-23 15:36:00 CEST 
SUSE has issued an advisory on October 22:
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009644.html
David Walser 2021-10-23 15:36:14 CEST

Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2021-10-23 21:01:46 CEST 
No registered nor evident maintainer, so have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-10-25 10:01:08 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized. (CVE-2019-6462)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6462
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009644.html
========================

Updated packages in core/updates_testing:
========================
lib(64)cairo2-1.16.0-6.1.mga8
lib(64)cairo-devel-1.16.0-6.1.mga8
lib(64)cairo-static-devel-1.16.0-6.1.mga8

from SRPM:
cairo-1.16.0-6.1.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Patch available from upstream => (none)
CVE: (none) => CVE-2019-6462
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-10-27 11:40:11 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
As stated in bug 28084, 
# urpmq --whatrequires lib64cairo2
returns a long list
picked out caja and run
strace -o libcairo.txt caja
and checked and found references to libcairo lob files.
Works OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-10-27 22:19:47 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-29 18:38:16 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-10-29 21:33:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0497.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED