openSUSE has issued an advisory on July 19: https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00042.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Different maintainers, assigning globally, CC'ing Shlomi & wally.
CC: (none) => jani.valimaa, shlomifAssignee: bugsquad => pkg-bugs
There is also CVE-2017-7475 (see bug 23143).
CC: (none) => nicolas.salguero
According to Gentoo, CVE-2017-9814 does not affect 1.16.0 and above. OpenSuse seems to confirm because they remove the patch when updating their package to version 1.16.0. Suggested advisory: ======================== The updated packages fix a security vulnerability: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. (CVE-2017-7475) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7475 https://lists.opensuse.org/opensuse-updates/2018-05/msg00036.html http://lists.suse.com/pipermail/sle-security-updates/2018-May/004095.html https://lists.opensuse.org/opensuse-updates/2018-07/msg00002.html https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00042.html ======================== Updated packages in core/updates_testing: ======================== lib64cairo2-1.16.0-2.1.mga7 lib(64)cairo-devel-1.16.0-2.1.mga7 lib(64)cairo-static-devel-1.16.0-2.1.mga7 from SRPM: cairo-1.16.0-2.1.mga7.src.rpm
Summary: cairo new security issue CVE-2017-9814 => cairo new security issue CVE-2017-7475CVE: (none) => CVE-2017-7475Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Source RPM: cairo-1.16.0-3.mga8.src.rpm => cairo-1.16.0-2.mga7.src.rpmWhiteboard: MGA7TOO => (none)Status: NEW => ASSIGNED
PoC: https://bugzilla.suse.com/show_bug.cgi?id=1036789#c7 Before update: $ hb-view 1.ttf hello Segmentation fault (core dumped) After update: $ hb-view 1.ttf hello $ Very good.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0359.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED