Bug 28084 - cairo new security issue CVE-2020-35492
Summary: cairo new security issue CVE-2020-35492
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-01-13 18:57 CET by David Walser
Modified: 2021-01-14 16:15 CET (History)
4 users (show)

See Also:
Source RPM: cairo-1.16.0-2.1.mga7.src.rpm
CVE: CVE-2020-35492
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-13 18:57:47 CET 
Debian-LTS has issued an advisory on January 6:
https://www.debian.org/lts/security/2021/dla-2518

Mageia 7 is also affected.
David Walser 2021-01-13 18:58:03 CET

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-13 19:22:18 CET 
Fix pushed in mageia cauldron.

CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Nicolas Lécureuil 2021-01-13 19:27:47 CET 
Fix pushed in mga7

src:
    cairo-1.16.0-2.2.mga7

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2021-01-13 19:45:59 CET 
Advisory:
========================

Updated cairo packages fix security vulnerability:

LibreOffice slideshow aborts with stack smashing in cairo’s composite_boxes
(CVE-2020-35492).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
https://www.debian.org/lts/security/2021/dla-2518
========================

Updated packages in core/updates_testing:
========================
libcairo2-1.16.0-2.2.mga7
libcairo-devel-1.16.0-2.2.mga7
libcairo-static-devel-1.16.0-2.2.mga7

from cairo-1.16.0-2.2.mga7.src.rpm

Status comment: Patches available from upstream => (none)

Comment 4 Thomas Andrews 2021-01-14 00:00:08 CET 
Created a short slide show in Libreoffice Impress with 12 slides. Used the slideshow function, but did not visibly trigger any problems. 

Updated lib64cairo2. No installation issues. Ran the slide show again, with no issues noted.

urpmq --whatrequires lib64cairo2 reveals a very long list. The Gimp is on it, as is Firefox, and cairo-dock.

Ran The Gimp with a complex image consisting of over 70 layers of graphics and text, with no issues. Cairo-dock was already installed on one test machine during a previous test of it, and there were no regressions with any of the 2D rendering. Firefox is being used to make this report, with no regressions noted.

I'm going to call this OK, and validate. Advisory in Comment 3.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Aurelien Oudelet 2021-01-14 14:43:09 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2020-35492
CC: (none) => ouaurelien
Source RPM: cairo-1.16.0-5.mga8.src.rpm => cairo-1.16.0-2.1.mga7.src.rpm
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-14 16:15:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0028.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.